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Preface 



This volume contains the proceedings of the 15th International Conference on 
Concurrency Theory (CONCUR 2004) held in the Royal Society, London, UK, 
from the 31st August to the 3rd September, 2004. 

The purpose of the CONCUR conferences is to bring together researchers, de- 
velopers and students in order to advance the theory of concurrency and promote 
its applications. Interest in this topic is continually growing, as a consequence of 
the importance and ubiquity of concurrent systems and their applications, and of 
the scientific relevance of their foundations. The scope covers all areas of seman- 
tics, logics, and verification techniques for concurrent systems. Topics include 
concurrency-related aspects of: models of computation, semantic domains, pro- 
cess algebras, Petri nets, event structures, real-time systems, hybrid systems, de- 
cidability, model-checking, verification techniques, refinement techniques, term 
and graph rewriting, distributed programming, logic constraint programming, 
object-oriented programming, typing systems and algorithms, case studies, tools 
and environments for programming and verification. 

This volume starts with four invited papers from Sriram Rajamani, Steve 
Brookes, Bengt Jonsson and Peter O’Hearn. The remaining 29 papers were se- 
lected by the program committee from 134 submissions, a record number of 
submissions to CONCUR. The standard was extremely high and the selection 
difficult. Each submission received at least three reports, reviewed by the pro- 
gram committee members or their subreferees. Once the initial reviews were 
available, we had 16 days for paper selection and conflict resolution. We would 
like to thank all members of the CONCUR 2004 Program Committee for their 
excellent work throughout the intensive selection process, together with many 
subreferees who assisted us in the evaluation of the submitted papers. 

The conference includes talks by several invited speakers: invited seminars by 
David Harel (Weizmann Institute) and Sriram Rajamani (Microsoft Research, 
Redmond), and invited tutorials by Steve Brooks (Carnegie-Mellon) and Peter 
O’Hearn (Queen Mary, University of London), and by Bengt Jonsson (Uppsala). 

The conference has 11 satellite events: 

— Workshop on Structural Operational Semantics (SOS 2004), organised by 
Luca Aceto. 

— 11th International Workshop on Expressiveness in Concurrency 
(EXPRESS 2004), organised by Flavio Corradini. 

— II Workshop on Object-Oriented Developments (WOOD 2004), organised by 
Viviana Bono. 

— 3rd International Workshop on Foundations of Coordination Languages and 
Software Architectures (FOCLASA 2004), organised by Jean-Marie Jacquet. 

— 2nd International Workshop on Security Issues in Coordination Models, Lan- 
guages and Systems (SECCO 2004), organised by Gianluigi Zavattaro. 



VI 
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— Workshop on Concurrent Models in Molecular Biology (BIOCONCUR 2004), 
organised by Anna Ingolfsdottir. 

— Global Ubiquitous Computing (FGUC 2004), organised by Julian Rathke. 

— 3rd International Workshop on Parallel and Distributed Methods in Verifi- 
cation (PDMC 2004), organised by Martin Leucker. 

— 4th International Workshop on Automated Verification of Critical Systems 
(AVoCS 2004), organised by Michael Huth. 

— 1st International Workshop on Practical Applications of Stochastic Mod- 
elling (PASM 2004), organised by Jeremy Bradley. 

— 6th International Workshop on Verification of Infinite-State Systems 
(INFINITY 2004), organised by Julian Bradfield. 

We would like to thank the conference organisation chair Iain Phillips, the lo- 
cal organisers Alex Ahern and Sergio Maffeis, the workshop organisation chairs 
Julian Rathke and Vladimiro Sassone, and the workshop organisers. Finally we 
thank the invited speakers, invited tutorial speakers and the authors of submit- 
ted papers for participating in what promises to be a very interesting conference. 

We gratefully acknowledge support from the Department of Computing, Im- 
perial College London, the Engineering and Physical Sciences Research Council 
(EPSRC), Microsoft Research in Cambridge, and the Royal Society. 
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Abstract. Model checking is a technique for finding bugs in systems 
by systematically exploring their state spaces. We wish to extract sound 
models from concurrent programs automatically and check the behaviors 
of these models systematically. The zing project is an effort to build a 
flexible infrastructure to represent and model check abstractions of large 
concurrent software. 

To support automatic extraction of models from programs written 
in common programming languages, zing’s modeling language supports 
three facilities present in modern programming languages: (1) procedure 
calls with a call-stack, (2) objects with dynamic allocation, and (3) pro- 
cesses with dynamic creation, using both shared memory and message 
passing for communication. We believe that these three facilities capture 
the essence of model checking modern concurrent software. 

Building a scalable model-checker for such an expressive modeling 
language is a huge challenge, zing’s modular architecture provides a 
clear separation between the expressive semantics of the modeling lan- 
guage, and a simple view of ZING programs as labeled transition systems. 
This separation has allowed us to decouple the design of efficient model 
checking algorithms from the complexity of supporting rich constructs 
in the modeling language. 

zing’s model checking algorithms have been designed to exploit ex- 
isting structural abstractions in concurrent programs such as processes 
and procedure calls. We present two such novel techniques in the paper: 
(1) compositional checking of zing models for message-passing programs 
using a conformance theory inspired by work in the process algebra com- 
munity, and (2) a new summarization algorithm, which enables zing to 
reuse work at procedure boundaries by extending interprocedural data- 
flow analysis algorithms from the compiler community to analyze con- 
current programs. 



1 Introduction 

The goal of the zing project is to check properties of concurrent heap- 
manipulating programs using model checking. By systematically exploring the 
state space, model checkers are able to find tricky concurrency errors that are 
impossible to find using conventional testing methods. Industrial software has 
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such large number of states and it is infeasible for any systematic approach to 
cover all the reachable states. Our goal is to automatically extract a model from 
a program, where a model keeps track of only a small amount of information 
about the program with respect to the property being checked. Then, it is feasi- 
ble to systematically explore all the states of the model. Further, we want these 
models to be sound abstractions of the program — a property proved on the 
model should hold on the program as well. 

How expressive should the model be? Choosing a very restricted model such 
as finite-state machines makes the task of building the model checker easy, but 
the task of extracting such a model from a program becomes hard. On the other 
hand, building a model checker directly for a programming language is hard, due 
to the number of features present in programming languages. We believe that 
the following features capture the essence of modern concurrent object oriented 
languages, from the point of building sound abstractions for model checking: (1) 
procedure calls with a call-stack, (2) objects with dynamic allocation, and (3) 
processes with dynamic creation, using both shared memory and message passing 
for communication. We designed zing’s modeling language to have exactly these 
features. 

Building a scalable model checker for the zing modeling language is a huge 
challenge since the states of a ZING model have complicated features such as 
processes, heap and stack. We designed a lower-level model called ZING object 
model (or ZOM), and built a ZING compiler to convert a ZING model to ZOM. 
The compiler provides a clear separation between the expressive semantics of 
the modeling language, and a simple view of ZOM as labeled transition systems. 
This separation has allowed us to decouple the design of efficient model checking 
algorithms from the complexity of supporting rich constructs in the modeling 
language. 

Writing a simple DFS model checker on top of ZOM is very easy and can be 
done with a 10-line loop. However, this simple model checker does not scale. For 
building scalable checkers, we have to exploit the structural boundaries present 
in the source program that are preserved in the zing model. Processes, proce- 
dures and objects are perhaps the structural abstractions most widely used by 
programmers. Structural boundaries enable compositional model checking, and 
help alleviate the state-explosion problem. For implementing optimized model 
checking algorithms that exploit such structure, we had to expose more infor- 
mation about the state of the model in ZOM. 

In well-synchronized shared memory programs, any computation of a process 
can be viewed as a sequence of transactions, each of which appears to execute 
atomically to other processes. An action is called a right (left) mover if it can be 
committed to the right (left) of any action of another process in any execution. 
A transaction is a sequence of right movers, followed by at most a single atomic 
action, followed by a sequence of left movers. During model checking, it is suf- 
ficient to schedule processes only at transaction boundaries, and this results in 
an exponential reduction in the number of states explored. To implement such 
transaction-based reduction, we extended the ZOM to expose information about 
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the type of action executed — right mover, left mover, both left and right mover, 
neither left nor right mover. 

The ability to summarize procedures is fundamental to building scalable in- 
terprocedural analyses. For sequential programs, procedure summarization is 
well-understood and used routinely in a variety of compiler optimizations and 
software defect-detection tools. This is not the case for concurrent programs. 
If we expose procedure boundaries in the ZOM, we can summarize procedures 
that are entirely contained within transactions. When a transaction starts in 
one procedure and ends in another, we can break the summary piece-wise and 
record smaller sub-summaries in the context of each sub-procedure. The pro- 
cedure summaries thus computed allow reuse of analysis results across different 
call sites in a concurrent program, a benefit that has hitherto been available only 
to sequential programs [15]. 

We are interested in checking that a process in a communicating system 
cannot wait indefinitely for a message that is never sent, and cannot send a 
message that is never received. A process that passes this check is said to be 
stuck- free [16, 7, 8]. We have defined a conformance relation < on processes with 
the following substitutability property: If I < C and P is any environment such 
that the parallel composition P \ C is stuck-free, then P \ I is stuck-free as well. 
Substitutability enables a component’s specification to be used instead of the 
component in invocation contexts, and hence enables model checking to scale. 
By exposing observable events during the execution of each action in ZOM, we can 
build a conformance-checker to check if one zing model (the implementation) 
conforms with another ZING model (the specification). 

The goal of this paper is to describe the architecture and algorithms in ZING. 
A checking tool is useless without compelling applications where the checker 
provides value. We have used ZING to check stuck-freeness of distributed appli- 
cations, concurrency errors in device drivers, and protocol errors in a replicated 
file system. We have also built extractors from several programming languages 
to ZING. Since ZING provides core features of object-oriented languages, building 
such extractors is conceptually simple. Describing the details of these applica- 
tions and extractors is beyond the scope of this paper. 

To summarize, the zing project is centered around three core principles: 

1. It is possible to extract sound models from concurrent programs. To enable 
construction of simple extractors from common programming languages, the 
ZING modeling language has three core features (1) procedure calls, (2) ob- 
jects and (3) processes. 

2. It is beneficial to construct an intermediate model ZOM, which presents a sim- 
ple view of ZING models as labeled transition systems. We have constructed 
various model checkers over this simple view. 

3. Since zing’s modeling language preserves abstraction boundaries in the 
source program, we can exploit these boundaries to do compositional model 
checking, and help alleviate the state-explosion problem. Doing this requires 
exposing more information about the state and actions in ZOM. By expos- 
ing mover information about executed actions we have been able to imple- 
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ment transaction based reduction. By exposing information about procedure 
boundaries, we have been able to implement a novel summarization algo- 
rithm for concurrent programs. By exposing the observable events during 
execution of each action, we have been able to build a novel conformance 
checker to compositionally check if a ZING model is stuck- free. 

Related Work. The SPIN project [10] pioneered explicit-state model checking of 
concurrent processes. The SPIN checker analyzes protocol-descriptions written in 
the PROMELA language. Though PROMELA supports dynamic process creation, it 
is difficult to encode concurrent software in PROMELA due to absence of procedure 
calls and objects. Efforts have been made to abstract C code into PROMELA [11] 
to successfully find several bugs in real-life telephone switching systems, though 
no guarantees were given as to whether the generated PROMELA model is a sound 
abstraction of the C code. Over the past few years, there has been interest in 
using SPIN-Iike techniques to model check software written in common program- 
ming languages. DSPIN was an effort to extend SPIN with dynamic software- like 
constructs [12]. Model checkers have also been written to check Java programs 
either directly [21,20,18] or by constructing slices or other abstractions [6]. 
Unlike ZING none of these approaches exploit program abstractions such as pro- 
cesses and procedure calls to do modular model checking. The SLAM project [4] 
has similar goals to zing in that it works by extracting sound models from C 
programs, and checking the models. SLAM has been very successful in checking 
control-dominated properties of device drivers written in C. Unlike zing, it does 
not handle concurrent programs, and it is unable to prove interesting properties 
on heap-intensive programs. 

Outline. The remainder of the paper is structured as follows. We explain the 
features of zing’s modeling language, and discuss the modular software archi- 
tecture of ZING in Section 2. We discuss the novel compositional algorithms of 
ZING in Section 3. Section 4 concludes the paper with a discussion of current 
status and future work. 



2 Architecture 

zing’s modeling language provides several features to support automatic gen- 
eration of models from programs written in common programming languages. 
It supports a basic asynchronous interleaving model of concurrency with both 
shared memory and message passing. In addition to sequential flow, branching 
and iteration, ZING supports function calls and exception handling. New pro- 
cesses are created via asynchronous function calls. An asynchronous call returns 
to the caller immediately, and the callee runs as a fresh process in parallel with 
the caller. Primitive and reference types, and an object model similar to C# or 
Java is supported, although inheritance is currently not supported. ZING also 
provides features to support abstraction and efficient state exploration. Any se- 
quence of statements (with some restrictions) can be bracketed as atomic. This 
is essentially a directive to the model checker to not consider interleavings with 
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other processes while any given process executes an atomic sequence. Sets are 
supported, to represent collections where the ordering of objects is not important 
(thus reducing the number of potentially distinct states ZING needs to explore). 
A choose construct that can be used to non-deterministically pick an element out 
of a finite set of integers, enumeration values, or object references is provided. 
A complete language specification can be found in [1], An example ZING model 
that we extracted from a device driver, and details of an error trace that the 
ZING model checker found in the model can be found in [2]. 




Fig. 1 . Architecture of zing 



ZING is designed to have flexible software architecture. The architecture 
is designed to promote an efficient division of labor between model checking 
researchers and domain experts, and make it possible for model checking re- 
searchers to innovate in the core state-space exploration technology while allow- 
ing domain-experts to tackle issues such as extracting ZING models from their 
source code, and visualization for showing results from the model checker. Once 
model extraction is done, the generated ZING model is fed into a ZING compiler 
which converts the ZING model into an MSIL 1 object code called ZING object 
model (zom). The object code supports a specific interface intended to be used 
by the model checker. The ZOM assembly has an object of type State which has a 



1 MSIL stands for Microsoft Intermediate Language which is the instruction set for 
Microsoft’s Common Language Runtime. 
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stack for each process, a global storage area of static class variables, and a heap 
for dynamically allocated objects. Several aspects of managing the internals of 
the State object can be done generically, for all ZING models. This common state 
management functionality is factored into a the ZING runtime library. 

The equality operator for the State class is overridden to test equality using 
a “fingerprint” of the state with the following property: ( 1 ) If state si is a 
symmetric equivalent of state S2 then fingerprintfs 1) = fingerprint(s2), and ( 2 ) 
If fing er print fs\) = fingerprint (S2), then states s \ and S2 are equivalent with a 
high probability. Because states are compared frequently and the state vector 
is potentially large, the use of fingerprints is generally advantageous. Further, 
when all of the immediate children of a state have been generated, the full state 
representation may be discarded provided the fingerprint is retained. Two states 
are equivalent if the contents of the stacks and global variables are identical 
and the heaps are isomorphic. The fingerprinting algorithm for the State object 
first constructs a canonical representation of the state by traversing the heap 
in a deterministic order [ 12 ]. Thus, equivalent states have equal fingerprints. 
We observe that most state transitions modify only a small portion of the State 
object. The State object records an “undo-log” and uses it to reverse transitions, 
thereby avoiding cloning the entire state while doing depth-first search. 



Stack dfsStack; 

H ashtable stateHash; 
void addStat e(State I) { 

if (!stateHash.Contains(I)) { 
stateHash. Add(I) ; 
dfsStack. Push(I) ; 

} 

} 

void doDfs(S'tate initialState) { 
addState(initiallmplState) ; 
while (dfsStack. Count > 1) { 

State I = (State) dfsStack. Peek(); 
State newl = I.GetNextSuccessorQ; 
if (newl != null) 

addSt ate (newl); 

else 

dfsStack. Pop(); 

} 



Fig. 2. Simple DFS model checker for zing 

The State object exposes a GetNextSuccessor method that returns the 
next successor of the state. By iteratively calling this method, all successor 
states of the current state can be generated. Model checkers use the method 
GetNextSuccessor to execute a process for one atomic step. The execution 
semantics of the process, which includes complicated activities like process cre- 
ation, function call, exceptions, dynamic memory allocation, are all handled by 
the implementation of GetNextSuccessor using support from the ZING compiler 
and runtime. Model checkers are thus decoupled from the intricate execution se- 
mantics supported by ZING. The actual implementation of the State object is 
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quite complicated since it has to represent stacks for each process, a global area 
and the heap. Using the interface provided by zom’s State object, a simple 
depth-first search model checker for ZING can be written in less than ten lines 
as shown in Figure 2. The model checker stores finger prints of visited states in 
a hash table stateHash. When visiting each new state, the model checker first 
checks if the fingerprint of the new state is already present in the stateHash, 
and if present avoids re-exploring the new state. When the checker reaches an 
erroneous state, the entire trace that leads to the error is present in the model 
checker’s DFS stack, and we can display the trace at the source level (this is 
omitted in Figure 2 for simplicity). 



3 Algorithms 

Since zing’s modeling language preserves abstraction boundaries in the source 
program, we can exploit these boundaries to do compositional model checking, 
and help alleviate the state-explosion problem. Doing this requires exposing more 
information about the state and actions in ZOM. By exposing mover informa- 
tion about executed actions, we have been able to implement transaction based 
reduction. By exposing information about procedure boundaries, we have been 
able to implement a novel summarization algorithm for concurrent programs. By 
exposing the observable events during execution of each action, we have been 
able to build a novel conformance checker to compositionally check if a ZING 
model is stuck- free. 

3.1 Model Checker with Reduction 

We have implemented a state-reduction algorithm that has the potential to re- 
duce the number of explored states exponentially without missing errors. This 
algorithm is based on Lipton’s theory of reduction [13] . Our algorithm is based 
on the insight that in well-synchronized programs, any computation of a process 
can be viewed as a sequence of transactions, each of which appears to execute 
atomically to other processes. An action is called a right mover if can be com- 
muted to the right of any action of another process in any execution. Similarly, 
an action is called a left mover if can be commuted to the left of any action of 
another process in any execution. A transaction is a sequence of right movers, 
followed by a single (atomic) action with no restrictions, followed by a sequence 
of left movers. During state exploration, it is sufficient to schedule processes 
only at transaction boundaries. These inferred transactions reduce the number 
of interleavings to be explored, and thereby greatly alleviate the problem of 
state explosion. To implement transaction-based reduction, we augmented the 
GetNextSuccessor method so that it returns the type of the action executed 
(i.e., left mover, right mover, non mover or both mover), and the model checker 
uses this information to infer transaction boundaries. 
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3.2 Model Checker with Summarization 

The ability to summarize procedures is fundamental to building scalable in- 
terprocedural analyses. For sequential programs, procedure summarization is 
well-understood and used routinely in a variety of compiler optimizations and 
software defect-detection tools. The summary of a procedure P contains the 
state pair (s, s') if in state s, there is an invocation of P that yields the state 
s' on termination. Summaries enable reuse — if P is called from two different 
places with the same state s, the work done in analyzing the first call is reused 
for the second. This reuse is the key to scalability of interprocedural analyses. 
Additionally, summarization avoids direct representation of the call stack, and 
guarantees termination of the analysis even if the program has recursion. 

However, the benefit of summarization is not available to concurrent pro- 
grams, for which a clear notion of summaries has so far remained unarticulated 
in the research literature. ZING has a novel two-level model checking algorithm 
for concurrent programs using summaries [15]. The first level performs reacha- 
bility analysis and maintains an explicit stack for each process. The second level 
computes a summary for each procedure. During the reachability analysis at the 
first level, whenever a process makes a procedure call, we invoke the second level 
to compute a summary for the procedure. This summary is returned to the first 
level, which uses it to continue the reachability analysis. The most crucial aspect 
of this algorithm is the notion of procedure summaries in concurrent programs. 
A straightforward generalization of a (sequential) procedure summary to the 
case of concurrent programs could attempt to accumulate all state pairs (s, s') 
obtained by invoking this procedure in any process. But this simple-minded ex- 
tension is not that meaningful, since the resulting state s' for an invocation 
of a procedure P in a process might reflect updates by interleaved actions of 
concurrently executing processes. Clearly, these interleaved actions may depend 
on the local states of the other processes. Thus, if (s,s') is an element of such 
a summary, and the procedure P is invoked again by some process in state s, 
there is no guarantee that the invoking process will be in state s' on completing 
execution of P. However, in well-synchronized programs, any computation of a 
process can be viewed as a sequence of transactions, each of which appears to 
execute atomically to other processes. Thus, within a transaction, we are free 
to summarize procedures. Two main technical difficulties arise while performing 
transaction-based summarization of procedures: 

— Transaction boundaries may not coincide with procedure boundaries. One 
way to summarize such transactions is to have a stack frame as part of 
the state in each summary. However, this solution not only complicates the 
algorithm but also makes the summaries unbounded even if all state vari- 
ables have a finite domain. Our summaries do not contain stack frames. If a 
transaction begins in one procedure context and ends in another procedure 
context, we break up the summary into smaller sub-summaries each within 
the context of a single procedure. Thus, our model checking algorithm uses 
a combination of two representations — states with stacks and summaries 
without stacks. 
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— A procedure can be called from different phases of a transaction — the pre- 
commit phase or the post-commit phase. We need to summarize the proce- 
dure differently depending on the phase of the transaction at the call site. We 
solve this problem by instrumenting the source program with a boolean vari- 
able representing the transaction phase, thus making the transaction phase 
part of the summaries. 

Assertion checking for concurrent programs with finite-domain variables and 
recursive procedures is undecidable [17]. Thus, the two-level model-checking 
algorithm is not guaranteed to terminate. However, if all variables are finite 
domain and every call to a recursive procedure is contained entirely within 
a transaction, the two-level algorithm will terminate with the correct an- 
swer [15]. 



int g; 

int baz (int x, int y){ 
g = x+1; 

> 



Fig. 3. Small example to illustrate patterns and effects 



Our implementation of the two-level model checking algorithm in zing rep- 
resents a summary as a pattern and effect pair, rather than a state pair. A 
pattern is a partial map from (read) variables to values, and an effect is a 
partial map from (written) variables to values. The ZOM supports summariza- 
tion by exposing (1) whether the executed action is a procedure call or re- 
turn, and (2) what variables are read and written during an action. Pat- 
terns and effects enable better reuse of summaries than state pairs. For ex- 
ample, consider the function baz from Figure 3. If baz is called with a state 
(x=0,y=l,g=0), it results in state (x=0 ,y=l ,g=l) . We represent a summary 
of this computation as a pattern (x=0) and an effect (g=l). Thus, if baz is 
called with a state (x=0,y=10,g=3), it still matches the pattern (x=0), and 
the effect (g=l) can be used to compute the resulting state (x=0,y=10,g=l) . 
In contrast, if the summary is represented as a state pair ((x=0,y=l,g=0) , 
(x=0,y=l,g=l)), then the summary cannot be reused if baz were called at 
state (x=0,y=10,g=3). 

The model checker BEBOP [3] from the SLAM project represents summaries as 
state pairs. In order to illustrate the efficiency of reuse we present empirical com- 
parison between zing’s implementation of summarization and bebop’s imple- 
mentation. Since BEBOP supports model checking of sequential programs only, we 
do the comparison with a parameterized set of sequential ZING models shown in 
Figure 4. Program P(n) contains n global boolean variables gl,g2, . . . ,gn and 
n procedures levell,level2, . . . ,leveln. Figure 5 shows the running times for 
ZING and bebop for models -P(IO), P(20), . . . , P(100). Due to the use of patterns 
and effects for representing summaries, the ZING runtime for P(n) scales linearly 
with n. 




10 



T. Andrews et al. 



class BoolProg { 
static bool gl; 
static bool g2; 



static bool g<n>; 



activate static void mainO { 
levell(true, true, true); 
levell(true, true, true); 

} 

static void level<i>(bool pi, bool p2, bool p3) { 
bool a,b,c; 

a = falsejb = falsejc = false; 
while ( ! a | ! b I ! c ) { 
if ( ! a) 

a = true ; 
else if ( ! b) 

{a = false; 
else if (!c) 

{a = false; 
g<i> = false; 
level<i+l> (a, b, c) ; 
g<i> = true; 
level<i+l> (a, b, c) ; 
g<i> = false; 

}-}} 



true ; } 



false; c = true;} 



Fig. 4. Template to evaluate summary reuse using patterns and effects 

3.3 Conformance Checker 

We are interested in checking that a zing process cannot get into a state where 
it waits for messages that are never sent (deadlock) or has sent messages that are 
never received (orphan messages, for example, unhandled exception messages). 
We say, informally, that a processes is stuck if it cannot make any transition 
whatsoever, and yet some component of it is ready to send or receive a message. 
We say that a process is stuck-free, if it cannot transition to a stuck state . 2 

In order to check for stuck-freedom compositionally (one component at a 
time) for a system of communicating processes, we have defined a refinement 
relation <, called stuck-free conformance, which allows us to regard one ZING 
process as a specification of another. Stuck-free conformance is a simulation re- 
lation on ZING processes, which (?) is preserved by all contexts and (ii) preserves 
the ability to get stuck. From these properties it follows that, if P and Q are 
ZING processes such that P < Q, then for any process P, if R \ Q is stuck-free, 
then R \ P is stuck-free (P | Q denotes the parallel composition of P and Q, 



2 We have formalized the notion of stuckness and stuck-freedom for transition sys- 
tems in CCS [14], and we refer to [8,7] for the precise definition of stuck-free CCS 
processes. 
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ZING Vs BEBOP model checking times 




Fig. 5. Runtimes for zing and bebop on models from Figure 4 

which is expressed in ZING via async calls.) Therefore, if P < Q, we can safely 
substitute Q (a specification) for P (an implementation) in any context when 
reasoning about stuck-freedom, thereby enabling compositional checking. Our 
definition of stuck-free conformance [8, 7] between ZING processes is the largest 
relation < such that, whenever P < Q, then the following conditions hold: 

Cl. If P P' then there exists Q' such that Q Q' and P' < Q' . 

C2. If P can refuse X while ready on Y, then Q can refuse X while ready on Y. 

Here, P i P' means that P can transition to P' on a sequence of hidden 
actions, r, and a visible action, A. A process is called stable , if it cannot do any 
r-actions. If X and Y are sets of visible actions, we say that P can refuse X 

while ready on Y, if there exists a stable P' such that P P' and (i) P' 
refuses X, i.e., P' cannot do a co-action of any action in X, and ( ii ) P' is ready 
on Y, i.e., P' can do every action in Y. In condition [C2] above, the ready sets 
Y range only over singleton sets or the empty set. This requirement on Y leads 
to the most permissive simulation satisfying the preservation properties (z) and 
(ii) mentioned above. 3 

We have extended the ZOM interface so that we can observe externally visible 
actions as well as the occurrence of hidden actions: 

3 Our notion of stuck-free conformance can be seen as a restriction of the natural 
simulation-based version of CSP stable failures refinement [5, 9, 19], which in addition 
to preserving deadlock also preserves the ability to generate orphan messages. We 
refer to [8, 7] for more details on the theory of stuck-free conformance. 
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Stack dfsStack; 

H ashtable stateHash; 

void addState(S'tate I, State S) { 

StatePair combinedState = new StatePair (newl, newS); 
if (IstateHash. Contains (combinedState)) { 
stateHash. Add(combinedState) ; 
dfsStack. Push(combinedState) ; 

} 

} 

void checkConf ormance(S'tate initiallmplState, State initialSpecState) { 
addState(initialImplState, initialSpecState) ; 
while (dfsStack. Count > 1) { 

StatePair P = ( StatePair ) dfsStack. Peek(); 

State I — P.firstQ; 

State S = P.secondQ; 

State newl = I.GetNextSuccessorQ; 
if (newl == null) { 
if (isStable(I)) { 

/ / First get all the events we executed from I. 

External Event[] IEvents = I.AccumulatedExternalEvents; 

/ / Check if ready-refusals of I are ready-refused by S as well. 
for(int i = 0; i < IEvents. Count; i++) { 

if(!checkReadyRefusals(S, IEvents, IEvents[i])) { 

Console. WriteLine(” Ready refusals do not match up”); 
return; 

} 

} 

} 

dfsStack. Pop() ; 
continue; 

} 

External Event event = newI.ExternalEvent; 

/ / Try to produce a transition from newS with “event” as the observable event. 

State newS = executeWithEvent(S, event); 
if (newS == null) { 

Console. WriteLine(” Implementation has unspecified behavior”); 
return; 

} 

addSt ate (newl, newS); 

} 

Console. WriteLine(” I conforms with S”); 

} 

Fig. 6. Conformance checker for zing 

1. ExternalEvent is a property which, for a newly generated state, gives the 
event (if any) on the transition that was used to generate the state. 

2. AccumulatedExternalEvents gives an array of events from all outgo- 
ing transitions on a state, once all the outgoing transitions have been 
explored. 

An implementation of the conformance checker using this interface is given in 
Figure 6. By exploring the state spaces of a given process P and a specification 
process C, checkConf ormance(P, C) decides whether P < C, by a direct imple- 
mentation of conditions [Cl] and [C2] . We assume that the specification does 

not have hidden nondeterminism, i.e., for a specification state S, if S — -4 Si and 
S S 2 , then Si = S 2 . This assumption can be relaxed by determinizing the 
specification in a pre-processing step, or on-the fly using a subset construction. 
The conformance checker works by doing a depth-first-search on the state-space 
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of the implementation, and tracking the “matching” state of the specification 
corresponding to each state of the implementation. A hashtable is used to keep 
track of states that have been already visited. In our implementation, we store 
fingerprints of the visited states in the haslrtables for efficiency. At each transi- 
tion explored in the implementation, the algorithm checks for conditions [Cl]. 
After all the successors of an implementation state have been explored, it is 
popped from the DFS stack. At that time, the algorithm checks if condition 
[C2] holds. The algorithm uses three functions executeWithEvent, isStable, 
and checkReadyRefusals. The function executeWithEvent searches the spec- 
ification for a state which can be obtained by transitioning through the given 
event. Formally, executeWithEvent^, A) returns a state S' such that S S' 
if such a state S' exists (note that such a state is unique if it exists due to the 
assumption that the specification does not have hidden nondeterminism). If this 
function returns null, then we conclude that condition [Cl] has been violated. 
The function isStable returns true if the given state S is stable and FALSE 
otherwise. The function checkReadyRefusals^, X, A) returns true if condition 
[C2] holds. More precisely, checkReadyRefusals^, X 1 A) returns true if there 

exists a stable S' such that (i) S S' and (ii) for all A' if Q' then 

A' £ X, and (Hi) S' The algorithm terminates if the state space of the 
implementation is finite, and the complexity is linear in the state spaces of the 
implementation and the specification. If the state space of the implementation 
is too large or infinite, the algorithm can be used to check for conformance in 
whatever portion of the state space is explored. 



4 Conclusion 

The goal of the ZING project is to check properties of concurrent programs that 
manipulate the heap, by using natural abstraction boundaries that exist in the 
program. In order to support this goal, the ZING modeling language supports the 
essential features of modern object oriented languages, and the ZING architecture 
enables a clear separation between the expressiveness of the modeling language 
and the simplicity of the ZING object model (zom). This separation has enabled 
us to implement several novel model checking algorithms on top of the ZOM. We 
are currently implementing a few additional algorithms to enable ZING to scale 
to larger models: 

— Currently non-determinism in data (introduced by the choose statement) is 
handled by an explicit case-split. We have designed a technique to handle 
such non-determinism symbolically. Our proposed algorithm adds symbolic 
fix-point computing capability to ZING, with the possibility of using widening 
to accelerate convergence. 

— We are currently investigating how to design a SLAM-like iterative refinement 
loop inside zing. SLAM handles pointers by doing an apriori alias analysis, 
and using predicates to refine the imprecision in alias analysis. We believe 
that directly handling pointers in the abstraction will scale better. 
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We have used ZING to check stuck-freeness of distributed applications [8, 
7], concurrency errors in devicedrivers, 4 and protocol errors in a replicated file 
system. 5 Though a discussion of these applications is beyond the scope of this 
paper, all of the above algorithms and optimizations were driven by the need to 
make ZING scale on these applications. 
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Abstract. We present a denotational semantics based on action traces, 
for parallel programs which share mutable data and synchronize using re- 
sources and conditional critical regions. We introduce a resource-sensitive 
logic for partial correctness, adapting separation logic to the concurrent 
setting, as proposed by O’Hearn. The logic allows program proofs in 
which “ownership” of a piece of state is deemed to transfer dynamically 
between processes and resources. We prove soundness of this logic, using 
a novel “local” interpretation of traces, and we show that every provable 
program is race-free. 



1 Introduction 

Parallel programs involve the concurrent execution of processes which share state 
and are intended to cooperate interactively. It is notoriously difficult to ensure 
absence of runtime errors such as races , in which one process changes a piece 
of state being used by another process, and dangling pointers , which may occur 
if two processes attempt simultaneously to deallocate the same storage. Such 
phenomena can cause unpredictable or irreproducible behavior. 

Rather than relying on assumptions about the granularity of hardware prim- 
itives, it is preferable to use program design rules and proof techniques that 
guarantee error-freedom. The classic example is the syntax-directed logic for 
partial correctness properties of (pointer-free) parallel programs introduced by 
Owicki and Gries [15], building on prior work of Hoare [7]. This approach focusses 
on critical variables, the identifiers concurrently written by one process and read 
or written by another. The programmer must partition the critical variables 
among named resources, and each occurrence of a critical variable must be inside 
a region naming the relevant resource. Assuming that resource management is 
implemented by a suitable synchronization primitive, such as semaphores [6, 1], 
the design rules guarantee mutually exclusive access to critical variables and 
therefore freedom from races. Each process relies on its environment to ensure 
that when a resource is available the corresponding resource invariant holds, and 
guarantees that when the process releases the resource the invariant will hold 
again (c/. rely/guarantee methodology as in [9]). This use of resource invariants 
abstracts away from what happens “inside” a critical region and focusses on the 
places where synchronization occurs. 



P. Gardner and N. Yoshida (Eds.): CONCUR 2004, LNCS 3170, pp. 16—34, 2004. 
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This method works well for simple (pointer-free) parallel programs, but the 
task of reasoning about parallel pointer-programs is made more difficult by the 
potential for aliasing, when distinct expressions may denote the same pointer: 
static design rules no longer suffice to prevent races involving pointer values. For 
example, the program [x]:=0|| [y]:=l has a race if x and y are aliases, and this 
cannot be determined from the syntax of the program. 

Peter O’Hearn [11, 12] has proposed an adaptation of the Owicki-Gries rules 
to handle parallel pointer-programs, incorporating ideas from separation logic [17, 
14, 8]. The main technical novelty in this adaptation involves the use of separating 
conjunction in the rules dealing with resource invariants and parallel composi- 
tion. Although this may appear superficially to produce “obvious” variants of 
the traditional rules, the original rules (using the standard form of conjunction) 
are unsound for pointer-programs, and soundness of the new rules is far from 
obvious. Indeed, Reynolds has shown that O’Hearn’s rules are unsound without 
restrictions on resource invariants [18, 13]. 

O’Hearn provides a series of compelling examples with informal correctness 
proofs, but (as he remarks) the logic cannot properly be assessed without a suit- 
able semantic model [11]. Such a model is not readily available in the literature: 
traditional models for concurrency do not include pointers or race-detection, and 
models for pointer-programs do not typically handle concurrency. In this paper 
we give a denotational semantics, using action traces, that solves these prob- 
lems, using a form of parallel composition that detects races and treats them 
as catastrophic 1 . Our semantic model embodies a classic principle of concurrent 
program design, originally articulated by Dijkstra [6] and echoed in the design 
of the classic inference rules for shared-memory programs [7, 15]: 

. . . processes should be loosely connected; by this we mean that apart 
from the (rare) moments of explicit intercommunication, the individual 
processes are to be regarded as completely independent of each other. 

In other words, concurrent processes do not interfere (or cooperate) ex- 
cept through explicit synchronization. Our semantics makes this idea concrete 
through the interplay between traces, which describe interleaved behaviors of 
processes, and an enabling relation on “local states” that models “no interfer- 
ence from outside except at synchronization”. This interplay permits a formal- 
ization of O’Hearn’s “processes that mind their own business” [12], and leads 
to a Parallel Decomposition Lemma that reflects the intuition behind Dijkstra’s 
principle in a semantically precise manner. 

The Owicki-Gries logic and O’Hearn’s adaptation assume a fixed collection 
of resources and a fixed set of parallel processes. We reformulate O’Hearn’s 
inference rules in a more semantically natural manner, allowing statically scoped 
resource declarations and nested parallel compositions. We assume that each 
resource invariant is a precise separation logic formula, so that every time a 
program acquires or releases a resource there is a uniquely determined portion of 



This idea was suggested by John Reynolds [18]. 
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the heap whose ownership can be deemed to transfer. We give a suitably general 
(and compositional) notion of validity, and we prove that the proof rules, using 
precise invariants, are sound. Our soundness proof demonstrates that a verified 
program has no race conditions. 

We omit proofs, and we do not include examples to illustrate the logic; the 
reader should see O’Hearn’s paper [12] for such examples, which may be repli- 
cated quite straightforwardly in our more formal setting. O’Hearn’s paper also 
discusses the limitations of the logic and identifies opportunities for further 
research. We assume familiarity with the syntax and semantics of separation 
logic [17]. Apart from this we have tried to include enough technical detail to 
make the paper self-contained. 



2 Syntax 

Our programming language combines shared-memory parallelism with pointer 
operations. The syntax for commands (ranged over by c) is given by the following 
abstract grammar, in which r ranges over resource names, i over identifiers, e 
over integer expressions, and b over boolean expressions: 

c ::= skip | i:=e \ i:=[e\ | [e]:=e' | i:=cons (eo, • • • , e n ) | dispose e | 

Ci; C 2 | ci||c 2 | if b then ci else C 2 | while b do c | 
resource r in c | with r when b do c 

Expressions are pure, so evaluation has no side-effect and the value of an 
expression depends only on the store. An assignment command i:=e affects 
only the store; allocation i:=cons(eo, . . . , e n ), lookup i:=[e], update \e\:=e! , and 
disposal dispose(e) involve the heap. A command of form resource r in c 
introduces a local resource name r, whose scope is c. A command of form 
with r when b do c is a conditional critical region for resource r. A process 
attempting to enter a region must wait until the resource is available, acquire 
the resource and evaluate b: if b is true the process executes c then releases the 
resource; if b is false the process releases the resource and waits to try again. 
A resource can only be held by one process at a time. We use the abbreviation 
with r do c when b is true. 

Let free(c) be the set of identifiers occurring free in c, with a similar no- 
tation for expressions. Let writes(c) be the set of identifiers having a free 
write occurrence in c, and res(c) be the set of resource names occurring free 
in c. These sets are defined as usual, by structural induction. For instance, 
res(with r when b do c) = res(c) U {r}, res(resource r in c) = res(c) — {r}. 

3 Semantics 

We give a trace-theoretic semantics for expressions and commands. The meaning 
of an expression will be a set of trace- value pairs, and the meaning of a command 
will be a set of traces. The trace set denoted by a program describes in abstract 
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terms the possible interactive computations that the program may perform when 
executed fairly, in an environment which is also capable of performing actions. 
We interpret sequential composition as concatenation of traces, and parallel 
composition as a resource-sensitive form of interleaving of traces that enforces 
mutually exclusive access to each resource. By presenting traces as sequences of 
actions we can keep the underlying notion of state more or less implicit . 2 We 
will exploit this feature later, when we use the semantics to prove soundness of 
a concurrent separation logic. We start by providing an interpretation of actions 
using a global notion of state; later we will set up a more refined local notion of 
state with which it is easier to reason about ownership. 

Our semantics is designed to support reasoning about partial correctness and 
the absence (or potential presence) of runtime errors. The semantics also models 
deadlock, as a form of infinite waiting, and allows reasoning about safety and 
liveness properties. The semantics assumes that parallel processes are executed 
under the control of a weakly fair scheduler [ 16 ], so that each process that has 
not yet terminated will eventually be scheduled for execution. 

States, Actions, and Traces 

A value is either an integer, or an address. We use v to range over values, l over 
addresses. Let V mt be the set of integers, V a dd r be the set of addresses 3 , and 
V ) ,ooi be the set of truth values. A resource set is a finite set of resource names. 
A state a comprises a store s, a heap h, and a resource set A. The store maps a 
finite set of identifiers to values; the heap maps a finite set of addresses to values. 
We use notations such as \i\ : v\ , . . . ,ik ■ Ufc] and [Zi : iq, . . . , l n : v n \ to denote 
stores and heaps, and [s | i : v] and [h \ l : v] for updated stores and heaps. 
We write s\X for the store obtained by removing the identifiers in X from the 
domain of s, and h\l for the heap obtained from h by deleting l from its domain. 
When heaps hi and I12 have disjoint domains we write hi J_ /12, and we let hi ■ /12 
denote their union. We use a similar notation for stores. An “initial” state will 
have the form (s, h, {}); we may use the abbreviation (s, h) in such a case. 

We will describe a program’s behavior in terms of actions. These include 
store actions: reads i=v and writes i:=v to identifiers; heap actions: lookups 
[Z]=u, updates [Z]:=u, allocations alloc(l,[v 0, . . . , u„]), and disposals disp(l) of 
addresses; and resource actions: try(r), acq{r), rel(r) involving resource names. 
We also include an idle action 6 , and an error action abort. We use A to range 
over the set of actions. 

Each action A is characterized by its effect, a partial function =£■ from states 
to states. This partial function describes the set of states in which the action 



2 An advantage of action traces [4, 3] over the transition traces [16, 5] often used to 
model shared-memory parallel languages is succinctness: an action typically acts the 
same way on many states, and we can express this implicitly, without enumerating 
all pairs of states related by the action. 

3 Actually we treat addresses as integers, so that our semantic model can incorporate 
address arithmetic, but for moral reasons we distinguish between integers as values 
and integers which happen to be addresses in current use. 
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is enabled, and the state change caused by executing the action. Note that an 
action may cause a runtime error, for which we employ the error state abort. 

Definition 1 . The effect ==M of an action A is given by the following clauses: 



( s,h,A ) 
( s,h,A ) 
(s, h, A) 
( s,h,A ) 
(s, h, A) 
(s, h, A) 
(s, h, A) 
(s, h, A) 
(s, h, A) 
(s, h, A) 
( s,h,A ) 
(s, h. A) 
( s,h,A ) 
( s,h,A ) 
( s,h,A ) 
(s, h, A) 
abort = 



=> 0 , h, A) 
= >{a,h,A ) 

— — > abort 



[*]=« 



O I * : v],h,A) 

abort 

( s,h,A ) 

abort 



[!]:=«. 

> 

[i]:=v 



0, [h\l: v], A) 



abort 

alloc(l , [vg ? • • ■ ) 



disp(l) 

disp(l) 

tryjr) 

acq(r) 
— - ■ — > 

rel(r) 



(s, [h I bv 0 , + n:v n \,A) 



(s, fry, A) 
abort 
(s, h, A) 
(s,h,AU{r}) 
(s,h,A-{r}) 
abort 



abort 



always 
if (i, v) e s 
if i f dom(s) 
if i £ dom(s) 
if i f dom(s) 
if (l, v) £ h. 
if l f dom(fr) 
if l £ dom(fr) 
if l f dom(fr) 

if Mm < n. I + m f dom(h) 

if l £ dom(fr) 

if l f dom(fr) 

if r £ A 

if r A 

if r £ A 

always 

always 



It is obvious from the above definition that store actions depend only on the 
store, heap actions depend only on the heap, and resource actions depend only 
on the resource set. In general an action is either enabled or stuck in a given 
state. For example, if s(x) = 0 the action x=0 is enabled, but the action x=l is 
stuck. The stuck cases play only a minor role in the development. 

Note that a try(r) action is allowed, from a state ( s,h,A ) in which r e A, 
to model the case where one parallel component of the program has already 
acquired r but another component process wants to acquire it and must wait 
until the resource is released. A process can only acquire a resource that it does 
not already possess, and can only release a resource that it currently holds. 

The clause defining the effect of an allocation action is lion-deterministic, 
to model our assumption that storage management is governed by a mutual 
exclusion discipline and ensures the use of “fresh” heap cells. A given state 
(s, h, A) enables all allocation actions of the form alloc(l, [uq , •■•,«„]) for which 
the heap cells l, l + 1, ...,/ + n are all outside of dom(/i). We assume that the 
storage allocator never chooses to allocate a heap cell in current use, so we do 
not need to include an error case for allocate actions. On the other hand, since 
disposals are done by the program we include an error case for disposal actions 
to account for the possibility of a dangling pointer. 
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A trace is a non-empty finite or infinite sequence of actions. Let Tr be the set 
of all traces. We use a, (3 as meta-variables ranging over the set of traces, and 
Ti , T 2 range over trace sets. 

We write a/3 for the trace obtained by concatenating a and /3; when a is 
infinite this is just a. We assume that a abort [3 = a abort, and aS/3 = a(3 , for 
all traces a and f3. 

For trace sets T± and T 2 we let Ti T 2 = {a\ a 2 | a\ e Ti & a 2 e T 2 }, and we 
use the usual notations T* and T u for the finite and infinite concatenations of 
traces from the set T. We let T°° = T* U T w . 

We define the effect ==t> of a trace a in the obvious way, by composing the 
effects of the actions occurring in the trace. When ( s,h,A ) ( s',h',A ') the 

trace a can be executed from (s, h, A) without the need for interference from 
outside; we call such a trace sequential 4 . As is well known, the sequential traces 
of ci 1 1 c 2 cannot generally be determined from the sequential traces of c\ and c 2 , 
so we need to include non-sequential traces in order to achieve a compositional 
semantics. 



Parallel Composition 

The behavior of a command depends on resources: those held by the command 
and those being used by its environment. These sets of resources start empty 
and will always be disjoint. Accordingly we define for each action A a resource 
enabling relation (A 1; A 2 ) (A' l7 A 2 ) on disjoint pairs of resource sets, to spec- 

ify when a process holding resources A±, in an environment that holds A 2 , 
can perform this action, and the action’s effect on the resources held by the 
program: 



{Al ,A 2 ) (A U A 2 ) 

ifr^uA, 

(A 1: A 2 ) lei(r) > (Ai - {r}, A 2 ) if r e Ai 

(A\, A 2 ) (Ai, A 2 ) if A is not a resource action 

Clearly if A\ and A 2 are disjoint and (Ai,A 2 ) (A'^A^) then A 2 = A 2 

and A 1 is disjoint from A 2 . 

This resource enabling notion generalizes in the obvious way to a sequence 
of actions; we write (Ai,A 2 ) -A • to indicate that a process holding resources 
Ai in an environment holding A 2 can perform the trace a. 

We want to detect race conditions caused by an attempt to write to an 
identifier or address being used concurrently. This can be expressed succinctly 
as follows. First, we extend the definitions of free and writes to actions: 



4 Technically we say that a is sequential if and only if ^ {}. 
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free(i:=w) = {?'} 
free(*=t;) = {*} 
free([/]:=u) = {/} 
free([Z]=t;) = { 1 } 
fr ee(disp(l)) = {1} 
f r ee(alloc(l, [u 0 , , . . , v n ]) = {} 
free(A) = {} 



writes(i:=t>) = {«} 
writes(*=i>) = {} 
writes([/]:=w) = {?} 
writes([/]=i>) = {} 
writes (disp(l)) = {/} 
writes(aZZoc( 7 , [z>o, . . . , i>„]) = {} 
writes(A) = {} otherwise 



Informally, free(A) contains the identifiers or addresses whose current val- 
ues are needed to enable the action, and writes(A) contains the identifiers or 
addresses whose values in the current state are affected by the action. We do 
not include addresses l, ... ,1 + n in the free- or write-set of alloc (l, [to, • • • , t n ]), 
because these addresses are assumed to be fresh when the action occurs. 

We write Ai txi A2 (Ai interferes with A2) when Ai and A2 represent a race: 

Ai cxi A2 <f=> free(Ai) fl writes(A2) 7^ {} V writes(Ai) H free(A2) yf {}• 



Notice that we do not regard two concurrent reads as a disaster. 

We then define, for each pair (A 1; A 2 ) of disjoint resource sets and each pair 
((*1,0:2) of action sequences, the set OiAil^o^ of all mutex fairmerges of 01 
using A\ with 02 using A 2 . The definition is inductive 5 in the lengths of oi and 
02, and we include the empty sequence e, to allow a simpler formulation: 



Qq A\ II a 2 e = i a 1 I (Ali, ^2) •} 

e A, ||a 2 <*2 = {<*2 | (2I2, All) •} 

(AiOi) Ai II a 2 (A 2 O 2 ) = {abort} if Ai m A 2 

= {Ai/3 | (Ai,A 2 ) {A}, A 2 ) & (3 e a\ a 1 I|a 2 (A202)} 

U {A2/? | (A 2 , Ai) (A 2 , Ai) & (3 e (AiOi) Ai ||a 2 o 2} 

otherwise 



For traces oi and 02, let oi||o2 be dehned to be Ofi{}||{}a:2- For trace sets 
Ti and T 2 we define Ti||T2 = IJ{ a i || a 2 | oi e Tj & 02 e T 2 \. 



Semantics of Expressions 

An expression will denote a set of evaluation traces paired with values: we define 
[e] CTrx Vmt for an integer expression e, and [ 6 ] C Tr x Vb 00 i for a boolean ex- 
pression b. Since expression values depend only on the store, the only non-trivial 
actions participating in such traces will be reads. To allow for the possibility 
of interference during expression evaluation we include both non-sequential and 
sequential evaluation traces. Again the sequential traces describe what happens 
if an expression is evaluated without interference. 

The semantic functions are given, by structural induction, in the usual way. 
For example: 



5 We can also give a coinductive definition of the mutex fairmerges of two infinite 
traces, starting from a given disjoint pair of resource sets. We need mostly to work 
here with finite traces, so we omit the details. 
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[10] = {(A 10)} 

[*] = {(*=«,«) | V S Vim} 

[ei + e 2 ] = {(pip 2 , v i + u 2 ) | (pi, ^i) 6 [ei] & (p 2 , v 2 ) 6 [e 2 ]} 

[(e 0 ,. . . ,e„)J = {(p 0 • • - Pn, bo,- - - ,««]) I Vj. 0 < j < n => (pj,Vj) e [e^]}. 

The use of concatenation in these semantic clauses assumes that sum expres- 
sions and lists are evaluated in left-right order. This assumption is not crucial; 
it would be just as reasonable to assume parallel evaluation for such expres- 
sions. With an appropriately modified semantic definition, this adjustment can 
be made without affecting the ensuing development. 

Let [6] true C TV be the set of traces p such that (p, true) e [6], and [&] false 
be the set of traces p such that (p, false) e [6], 

Semantics of Commands 

A command c denotes a trace set [c] C TV, defined by structural induction. 

Definition 2. 

The trace set [c] of a command c is defined by the following clauses: 

[skip] = {<5} 

p:=e] = {pi:=v \ (p,u) e [e]} 

[*:=[e]] = {p[v\=v' i:=v' \ (p,v) e [e]} 

[d=cons (e 0 , . . . , e n )j = {p alloc(l , L) i:=l | (p, L ) e [(e 0 , . . . , e n )]} 
I[e]:=e'] = {p p' [«]:=«' | (p,«) 6 [e] & (p\v') e [e']} 

[dispose(e)] = {p disp{l) \ ( pj ) e [e]} 

[ci; c 2 ] = [ci] [c 2 ] = {a i« 2 | e [ci] & a 2 e [c 2 ]} 

[if b then ci else c 2 ] = [6] true [d] U [6] false [c 2 ] 

[while b do c] = ([6] tpue [c])* [6] false U ([6] true [c])“ 

[ci||c 2 ] = [ci]||[c 2 ] 

[with r when b do c] = wait* enter U wait w 

where wait = acq{r) [6]f a i se rel{r) U {try(r)} 
and enter = acq(r ) [6] true [c] rel(r) 

[resource r in c] = {a\r a e [c] r } 

In the above semantic clauses we have prescribed a left-to-right sequential 
evaluation order for i:=cons(eo, . . . ,e n ) and [e\:=e' , reflected in the use of con- 
catenation on the traces of sub-expressions; again this assumption is not crucial, 
and it is straightforward to adapt the ensuing development to allow for parallel 
evaluation of sub-expressions. 

The iterative structure of the traces of a conditional critical region reflect its 
use to achieve synchronization: waiting until the resource is available and the 
test condition is true, followed by execution of the body command while holding 
the resource, and finally releasing the resource. Note the possibility that the 
body may loop forever or encounter a runtime error, in which case the resource 
will not get released. Since [true] false = {} and [true] true = {<5} it is easy to 
derive a simpler formula for the trace set of with r do c: we have 

[with r do c] = try(r)* acq(r) [c] rel(r) U {trp(r)“}. 
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Since the command resource r in c introduces a local resource named r, 
whose scope is c, its traces are obtained from traces of c in which r is assumed 
initially available and the actions involving r are executed without interference. 
We let [c] be the set of traces of c which are sequential for r in this manner 6 . 
We let a\r be the trace obtained from a by replacing each action on r by 6. 



Examples 

1. \x:=x + 1] = {x=v x:=v + 1 | v e V int } 

This program always terminates, when executed from a state in which x has 
a value; its effect is to increment the value of a: by 1. 

2. \x~x + l||a::=x + 1] = {x=v abort \ v e Vi n t} 

Concurrent assignments to the same identifier cause a race, no matter what 
the initial value of x is. 

3. [with r do x:=x + 1] = try{r)* acq{r) \x:=x + 1] rel{r) U {fn/(r)“} 

This program needs to acquire r before incrementing x , and will wait forever 
if the resource never becomes available. 

4. [with r do x:=x + l||with r do x:=x + 1] contains traces of the forms 
acq(r) a rel{r) acq(r) j3 rel{r), acq(r) arel(r) try(r) w , and try(r) u , where 
a,/3 e \x:=x + 1], as well as traces of similar form containing additional 
try(r ) steps. Only the first kind are sequential for r. It follows that 

[resource r in (with r do x:=x + l||with r do x:=x + 1)] 

= {a(3 | a, ft e \x:=x + 1]} = \x:=x + 1; x:=x + 1]. 

The overall effect is the same as that of two consecutive increments. 

5. The command x:=cons(l)||y:=cons(2) has the trace set 

{alloc(l[l}) x:=l | l e V addr }\\{alloc(l' , [2]) y:=l' \ l' e V addr }. 

This set includes traces of the form 

allocil , [1]) x:=l allocll , [2]) y:=l, 

and other interleavings of alloc(l, [1]) x:=l with allocil, [2]) y:=l, none of 
which are sequential. The set also includes traces obtained by interleaving 
alloc{l, [1]) x:=l and alloc(l ' , [2]) y:=V , where l ^ l'; all of these are sequen- 
tial. 

6. The command dispose(cc)||dispose(y) has trace set 

{a;=i! disp{v) | v e V addr }\\{y=v' disp(v') \ v' e V addr j. 



Technically, we say that a is sequential for r if ({}, {}, {}) — — > ■ holds, where a[r 
is the subsequence of a consisting of actions on resource r. This expresses formally 
the requirement that a represents an execution in which r is initially available and 
r is never acquired (or released) by the environment. Equivalently, a[r is a prefix 
of a trace in the set ( acq(r ) fn/(r)°° rel(r))°°. Note in particular that try(r ) UJ is not 
sequential for r. 
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This includes traces of the form x=v y=v abort because of the race-detecting 
clause in the definition of fairmerge. If this command is executed from a 
state in which x and y are aliases a race will occur, with both processes 
attempting to dispose the same heap cell: if s(x) = s(y) = v and v e dom (h) 

, / 7 ri\ x—v y=v abort , 

we have (s, h, {}) — ■ - - - — > abort. 

4 Concurrent Separation Logic 

Separation logic [17] provides a class of formulas for specifying properties of 
stores and heaps. The syntax includes separating conjunction, denoted pi *P 2 , 
and formulas emp and e i— > e! specifying an empty heap and a singleton heap. 
We write (s, h) \= p wlren(s, h) satisfies p. In particular, (s, h) \= pi * P 2 if and 
only if there are disjoint heaps hi,h ,2 such that h = hi ■ / 12 , (s,hi) |= pi, and 
(s,h 2 ) \= P 2 ■ Reynolds [17] provides a Hoare-style partial correctness logic for 
sequential pointer-programs in which the pre- and post-conditions are separation 
logic formulas. 

We now introduce resource-sensitive partial correctness formulas of the form 
r b {p}c{q}, where p and q are separation logic formulas, c is a parallel pointer- 
program, and r is a resource context r 1 (AT 1 ) : Ri, . . . , rk(Xk) : R ^ associating 
resource names r.j with protection lists Xj and resource invariants Rj. Each 
protection list represents a finite set of identifiers. We require each resource 
invariant to be a precise separation logic formula. A separation logic formula p 
is precise [17] if for all s and h, there is at most one h' C h such that (s, h!) |= p. 

Let dom(T) = {ri, . . . ,rk} be the set of resource names in T, owned(T) = 
U ; =1 Xj be the set of identifiers protected by T, and free(T) = U,=i free(i?j) 
be the set of identifiers mentioned in the invariants. Let inv(T') = R\ * • • • * Rk be 
the separating conjunction of the resource invariants in r. In particular, when 
r is empty this is emp. Since each resource invariant is precise it follows that 
inv(T) is precise. 

We will impose some syntactic well-formedness constraints on contexts and 
formulas, designed to facilitate modularity. Specifically: 

— r is well- formed if its entries are disjoint, in that if i 7 ^ j then r t 7 ^ rj, 
Xi fl Xj = {}, and fr ee(Ri) n Xj = {}. 

— r b {p}c{q} is well-formed if T is well-formed, and p and q do not mention 
any protected identifiers, i.e. fr ee(p,q) fl owned(T) = {}. 

Thus in a well- formed context each identifier belongs to at most one resource. 
We do not require that the free identifiers in a resource invariant be protected, 
i.e. that free(LL) C Xi . This allows us to use a resource invariant to connect 
the values of protected identifiers and the values of non-critical variables. 

The inference rules will enforce the following syntactic constraints on com- 
mands, relative to the relevant resource context 7 : 



7 We will not formalize these properties or give a proof that they hold in all provable 
formulas. We state them explicitly since they recall analogous requirements in the 
Owicki-Gries logic and in O ’Hearn’s rules. 
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- Every critical identifier is protected by a resource. 

- Every free occurrence of a protected identifier is within a region for the 
corresponding resource. 

- Every free write occurrence of an identifier mentioned in a resource invariant 
is within a region for the corresponding resource. 

Intuitively, a resource-sensitive partial correctness formula specifies how a 
program behaves when executed in an environment that respects the resource 
context, assuming that at all times the separating conjunction of the resource 
invariants holds, for the currently available resources. The program guarantees to 
stay within these bounds, provided it can rely on its environment to do likewise. 
This informal notion of validity for formulas should help provide intuition for the 
structure of the following inference rules. Later we will give a formal definition 
of validity. 

We allow all well-formed instances of the following inference rules. Some 
of the rules have side conditions to ensure well-formedness and the syntactic 
requirements given above, as in [12]. 

- Skip 

r b {p}skip{p} 

- Assignment 

r b {[e/i]p}i:=e{p] 

if i owned(T) U f ree(T) 

- Lookup 

r b {[e'/i\p A e i— > e'}i:=[e\{p A e i— > e'j 
if i ^ free(e, e') and i ^ owned(T) U free(T) 

- Allocation 

r b {emp}*:=cons(eo, . . . , e n ){i i— >eo*---*i-bni— > e„} 
if i ^ f ree(eo, . . . , e n ) and i ^ owned(T) U f ree(T) 

- Update 

r b {e i— > — }[e]:=e , {e i— > e'j 

- Disposal 

r b {e i— > jdispose e{emp} 

- Sequential 

r {pi}c!{p 2 } r {p 2 }c 2 {p 3 } 

r b {pi}ci;c 2 {p 3 } 

- Conditional 

r b {p A b}ci{q} r b {p A — '&}c 2 {g| 
r b {p}if b then c 3 else c 2 {g} 
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Loop 



Parallel 



r b {p A b}c{p} 
r b {p}while b do c{p A ^6} 

r b {pijcijgi} r \- {p- 2 }c 2 {q 2 } 
r b {pi *p 2 }ci||c 2 {(7i * q 2 } 



if f ree(pi, q\) (~l writes(c 2 ) = free(p 2 , q 2 ) (~1 writes(ci) = {} 
and (free(ci) Cl writes(c 2 )) U (free(c 2 ) H writes(ci)) C owned(F) 



Resource 

r,r(X) : Rh {p}c{g} 
rb{p* Rjresource r in c{q * R} 
Renaming resource 

r b {pjresource r' in [r 1 /r\c{q] 
r b {pjresource r in c{q] 

if r' 4 res(c) 



Region 



Frame 



r b {{p * R) A b}c{q * R } 
r , r(X) : R b {pjwith r when b do c{g} 

R b {p]c{q} 
r b {p* I}c{q * 1} 



if fr ee(/) n writes(c) = {} 



Consequence 

P ' => P r\- {p}c{q} q^q' 
r b {p'}c{q'} 

provided p' => p and q =>■ q' are universally valid 



Auxiliary 



r b {p}c{q} 

r b {p}c\x{q} 

if X is auxiliary for c, and X n free(p, <7) = {}. 



Conjunction 

r b {pi}c{qi} r\-{p 2 }c{q 2 } 
r b {pi /\p 2 }c{qi A q 2 } 



Expansion 



if writes(c) D free(F / ) 



r b {p}c{q} 

R, R' b {p}c{q} 

{} and free(c) fl owned(F / ) 



{} 
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- Contraction 



if res(c) C dom(C) 



r,r’h{ P }c{q} 
r h {p}c{q} 



Comments 

1. The rules dealing with the sequential program constructs are natural adapta- 
tions of the rules given by Reynolds [17], with the incorporation of a resource 
context and side conditions to ensure well-formedness and adherence to the 
protection policy. The Frame and Consequence rules similarly generalize 
analogous rules from the sequential setting. 

2. The Parallel, Region and Resource rules are based on O’Hearn’s adap- 
tations of Owicki-Gries inference rules. A side condition in the Parallel 
rule enforces the requirement that each critical variable must be associated 
with a resource, just as in the original Owicki-Gries rule. 

3. The Auxiliary rule similarly adapts the Owicki/Gries rule for auxiliary 
variables 8 . As usual, a set of identifiers X is said to be auxiliary for c if 
every free occurrence in c of an identifier from X is in an assignment that 
only affects the values of identifiers in X. In particular, auxiliary identifiers 
cannot occur in conditional tests or loop tests, and do not influence the 
control flow of the program. The command c\X is obtained from c by deleting 
assignments to identifiers in X. 

4. In the Resource RENAMING rule we write \r' /r\c for the command obtained 
from c by replacing each free occurrence of r by r' . 

5. We have omitted the obvious structural rules permitting permutation of 
resource contexts. 



5 Validity 

We wish to establish that every provable resource-sensitive formula is valid , but 
we need to determine precisely what that should mean. Adapting the notion of 
validity familiar from the sequential setting, we might try to interpret validity 
of r b {p}c{q} as the property that every finite computation of c from a state 
satisfying p * inv(T) is error- free and ends in a state satisfying q * inv(T). 
However, this notion of “sequential validity” is not compositional for parallel 
programs; although it expresses a desirable property we need a notion of validity 
that takes account of process interaction. 

Informally we might say that the formula r b {p}c{q} is valid if every finite 
interactive computation of c from a state satisfying p*inv(T), in an environment 
that respects f, is error- free, also respects T, and ends in a state satisfying 



Owicki and Gries cite Brinch Hansen [2] and Lauer [10] as having first recognized the 
need for auxiliary variables in proving correctness properties of concurrent programs. 
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q * inv(r). However, such a formulation would be incomplete, since it does not 
properly specify what “respect” for T entails. To obtain a suitably formal (and 
compositional) notion of validity we need to keep track of the portions of the 
state deemed to be “owned” by a process, its environment, and the available 
resources. 

With respect to a resource context T, a process holding resource set A should 
be allowed to access identifiers protected by resources in A, but not identifiers 
protected by other resources. We say that (s, h, A) is a local state consistent with 
r if dom(s) D owned(T) = owned(T'[H), where r\A is the subset of T involving 
resources in A. We let r\A be the rest of T. We introduce local enabling relations 
between local states: a step ( s,h,A ) ( s',h',A ') means that in state (s,h,A) 

a process can perform action A, causing its local state to change to ( s',h',A ') 
and respecting the resource invariants and protection rules. We use the error 
state abort to handle runtime errors and logical errors such as an attempt to 
release a resource in a state for which no sub-heap satisfies the corresponding 
invariant, or a write to an identifier mentioned in a resource invariant without 
first acquiring the resource. 

Definition 3. The local enabling relations -yr> are the least relations satisfying 
the following clauses, in which (s, h, A) ranges over local states consistent with 
the relevant context: 



( s,h,A ) 
(s, h, A) 
(s, h, A) 
(s, h, A) 
( s , h, A) 
( s,h,A ) 
(s, h, A) 
( s,h,A ) 
(s, h, A) 
(s, h, A) 
(s, h, A) 
( s , h, A) 
( s,h,A ) 
(s, h, A) 
(s, h, A) 

( s , h, A) 
(s, h, A) 



( s,h,A ) 



([s | i ■ v],h,A) 



r > ( s,h,A ) 

^ r V > abort 
-fc. (s,[h\l:v'],A) 

^ r 1 ■ > abort 

alloc(l,[vo,...,v n ]) > (a , 

l(s,h\l,A ) 

abort 

s,h,A ) 



u«) 

rprnit (WX-h'.A- M) 

rel(r) , . 

rnxy.R abort 



always 
always 
if (i, v) e s 
if i 4 dom(s) 

if i € dom(s) — free(T\A) 
if i $ dom(s) or i e fr ee(T\A) 
if (l, v ) 6 h 
if l $ dom (h) 
if l e dom (h) 
if l $ dom (ft) 

+ n:Vn\, A) if Mm < n. I + m dom(K) 
if l e dom(ft) 
if l $ dom(ft) 
always 

if r $ A, h _L h' , 
dom(s / ) = X, (s ■ s ' , h') |= R 
ifr 6 A,h' C hk(s,h') (= R 

ifMh' C h. -*(s,h') |= R 



abort 
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The clauses for acq(r) and rel(r) deal with ownership transfer: when a pro- 
cess acquires a resource its local state grows to include the identifiers protected 
by the resource and the heap portion in which the resource invariant holds; when 
a process releases a resource its local state ceases to include the protected identi- 
fiers and the heap associated with the resource invariant; a “logical” error occurs 
if the invariant is not suitably satisfied. Since resource invariants are assumed to 
be precise formulas in each case there is a uniquely determined portion of heap 
associated with the relevant invariant. 

We write cr -j? a' when there is a local computation a from a to a' . 

Note that non-sequential traces play a non-trivial role in the local enabling 
relation, and in a local computation external interference can occur only at a re- 
source acquisition step. Thus the local enabling relation provides a formalization 
of “loosely connected” processes in the spirit of Dijkstra. 

The following result connects the local enabling relations which model 
interactive execution in an environment that respects a resource context, and 
the effect relations ===>, which represent interference- free executions, when a is 
a sequential trace. 

Lemma 1 (Empty Transfer Lemma) 

Let a be a finite trace, let {ri, ... ,r n } be the set of resource names occurring in 
actions of a, and let To be the resource context : emp, . . . , r n ({}) : emp. 

Then ( s , h, A) =% o' if and only if (s, h, A) o'. 

Theorem 2 (Respect for Resources) 

If a & [c] and ( s,h,A ) -j? ( s',h',A '), then dom(s') = dom(s) and A = A' . 

Note that these results imply the corresponding property for sequential traces. 

Corollary 3 

If a e [c] and ( s , h, A ) (s', h' , A), then dom(s) = dom(s') and A = A'. 

The following parallel decomposition property relates a local computation 
of a parallel program to local computations of its components. If the critical 
identifiers of C\ and C2 are protected by resources in T, a local computation of 
Ci||c2 can be “projected” into a local computation of c\ and a local computation 
of C2- In stating this property we use (s, h) as an abbreviation for (s, h, {}). 

Theorem 4 (Parallel Decomposition) 

Suppose (free(ci) fl writes(c2)) U (writes(ci) fl free(c2)) C owned(T) and 
a e ai||a2, where aq e [ci] and a.^ e [02]- Suppose hi T /12 and h = h\ ■ h^. 

— If (s, h) -jA abort then 

(s\writes(c2), hi) -yr> abort or (s\writes(ci), /z 2 ) abort. 

— If ( s , h) -jff (s', h!) then 

(s\writes(c2), hi) abort or (s\writes(ci), hf) abort, 
or there are disjoint heaps h'i T h' 2 such that h' = h! x ■ h' 2 and 

• (s\writes(c2),/ii) -7^ (s'\writes(c2), h[) 

• (s\writes(ci), /12) —fA (s'\writes(ci), h 2 ) 
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The definition of local enabling formalizes the notion of a computation by a 
process, in an environment that respects resources, and “minds its own business” 
by obeying the ownership policy of a given resource context. This leads us to 
the following rigorous formulation of validity. Again we write (s, h ) for (s, h, {}). 

Definition 5 . 

The formula T b {p}c{q} is valid if for all traces a of c, all local states (s, h) such 
that dom(s) D free(c, T) — owned(T), and all cr' , if ( s,h ) |= p and ( s,h ) -jb o' 
then o' ^ abort and a 1 \= q. 

This definition uses the local enabling relation, so that the quantification ranges 
over local states (s, h) consistent with T, for which dom(s) fl owned(T) = {}. 
Furthermore, this notion of validity involves all traces of c, not just the sequential 
traces and not just the finite traces 9 . 

When r is the empty context and res(c) = {}, validity of {} b {p}c{q} 
implies the usual notion of partial correctness together with the guaranteed 
absence of runtime errors. More generally, the same implication holds when 
res(c) = {?’i, . . . , r„} and T is the context n({}) : emp, . . . , r n ({}) : emp. 

We now come to the main result of this paper: soundness of our logic. 

Theorem 6 (Soundness) 

Every provable formula T b {p}c{q\ is valid. 

Proof: 

Show that each well formed instance of an inference rule is sound: if the rule’s 
premisses and conclusion are well formed, the side conditions hold, and the 
premisses are valid, then the conclusion is valid. It then follows, by induction on 
the length of the derivation, that every provable formula is valid. 

We give details for the Parallel rule. 

- Parallel Composition 

Suppose that T b {pi}ci{<7i} and r b are well formed and valid, 

and that free(pi, qi) fl writes(c2) = free(p2,<72) H writes(ci) = {} and 
(free(ci) fl writes(c2)) U (writes(ci) fl free(c2)) C owned(T). 

It is clear that T b {pi *p 2 }ci||c2{<7i *<72} is well formed. We must show that 
r b {pi * P2}ci||c 2 {(7i * <72} is valid. 

Let (s,/i) |= pi * P2, and suppose hi T /12, h = hi ■ /12, and (s, hi) |= pi, 
(s, /12) 1 = P2- Since free(pi) fl writes(c2) = f ree(p2) f~) writes(ci) = {} we 
also have (s\writes(c2), hi) \= pi and (s\writes(ci), /12) |= 712- 
Let a e |[ci || C2] , and (s, h) -jr> a' . Choose traces aq e [ci] and 02 e [02] such 
that a 6 ai||a2- If o' — abort the Parallel Decomposition Lemma would 
imply that (s\writes(c2), hi) -yb abort or (s\writes(ci), /12) abort. 
Neither of these is possible, since they contradict the assumed validity of 



9 The infinite traces only really matter in the no-abort requirement, since we never 
get cr -jb o' when a is infinite and a' is a proper state. 
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the premisses r b {pi}c\{q\} and r b {p 2 }c 2 {< 7 2 }. If ot is infinite that is 
all we need. Otherwise a is finite, and o' has the form ( s' ,h '). Again by 
the Parallel Decomposition Lemma and validity of the premisses, there are 
heaps h\ _L h' 2 such that h! = h\ ■ h' 2 , 

(s\writes(c 2 ), hi) (s'\writes(c 2 ), h'f) 

(s\writes(ci), /i 2 ) (s'\writes(ci), h' 2 ), 

and (s'\writes(c 2 ), h^) |= qi, (s , \writes(ci), h' 2 ) |= q 2 . Since q± does not 
depend on writes(c 2 ) and g 2 does not depend on writes(ci) we also have 
(s', hi) 1= qi and ( s',h' 2 ) \= g 2 , from which it follows that ( s',h ') |= q± * g 2 , 
as required. 



6 Provability Implies No Races 

For a process holding resource set A and a corresponding global state (s,h,A), 
let s|A = s\owned(F\A). This is the “local” portion of the global store “visible” 
to the process by virtue of its current resource set. 

The following result shows how the local effect of an action relates to its global 
effect, modulo the protection policy imposed by the resource context, assuming 
that the process performing the action owns resources in A and the global heap 
contains a sub-heap in which the resource invariants for the available resources 
hold, separately. 

Lemma 7 (Connection Property) 

Let ( s,h,A ) be a global state and suppose h = hi ■ /i 2 with (s,/i 2 ) \= inv(T\A). 

— If (s, h, A) ==> abort then (s|A, hi, A) -jb abort. 

— If(s,h,A) ( s',h',A ') then 

• either (s[A,h\,A) -jb abort 

• or there are heaps h\ _L h 2 such that h ’ = h[ ■ h 2 , (s',h 2 ) |= inv(T\A'), 
and (siA,hi,A) -jb (s' [A’ , h[, A') 

We can then deduce the following result for all commands c, letting A = A' = 
{} and using induction on trace structure. 

Corollary 8 

Let a 6 [c]. Suppose h = h\ ■ /i 2 , and (s, /i 2 ) |= inv(T). 

— If ( s,h ) ==b abort then (s\owned(T), hf) -)b abort. 

— If (s,h) (s' ,h') then 

• either (s\owned(T), hi) -je> abort, 

• or there are heaps h[ _L h 2 such that h' = h[ ■ h 2 , (s', h 2 ) [= inv(T), 
and (s\owned(r), hi) -jr> (s , \owned(/ n ), h'f) . 
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Finally, combining this with the definition of validity we obtain a link with 
the earlier notion of “sequential validity” , which we can express rigorously in 
terms of the interference-free enabling relations =>. 

Theorem 9 (Valid Implies Race-Free) 

If r h {p}c{q} is valid and well formed, then c is error-free from every global 
state satisfying p * inv(F). More specifically, for all states a, o' and all traces 
a 6 [c], if a p* inv(F) and a =A o' then a' ^ abort and a' \= q * inv(T') . 

Combining this result with the Soundness Theorem, it follows that provability 
of r b {p}c{< 7 } implies that c is race- free from all states satisfying p * inv(T'). 
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Abstract. Regular model checking is being developed for algorithmic 
verification of several classes of infinite-state systems whose configura- 
tions can be modeled as words over a finite alphabet. Examples include 
parameterized systems consisting of an arbitrary number of homogeneous 
finite-state processes connected in a linear or ring-formed topology, and 
systems that operate on queues, stacks, integers, and other linear data 
structures. The main idea is to use regular languages as the represen- 
tation of sets of configurations, and finite-state transducers to describe 
transition relations. In general, the verification problems considered are 
all undecidable, so the work has consisted in developing semi-algorithms, 
and decidability results for restricted cases. This paper provides a survey 
of the work that has been performed so far, and some of its applications. 



1 Introduction 

A significant research effort is currently being devoted to extending the appli- 
cability of algorithmic verification to parameterized and infinite-state systems, 
using approaches based on abstraction, deductive techniques, decision proce- 
dures, etc. One major approach is to extend the paradigm of symbolic model 
checking [BCMD92] to new classes of models by an appropriate symbolic repre- 
sentation; examples include timed automata, systems with unbounded commu- 
nication channels, Petri nets, and systems that operate on integers and reals. 

Regular model checking is such an extension, in which sets of states and tran- 
sition relations are represented by regular sets, typically over finite or infinite 
words or tree structures. Most work has considered models whose configurations 
can be represented as finite words of arbitrary length over a finite alphabet. 
This includes parameterized systems consisting of an arbitrary number of homo- 
geneous finite-state processes connected in a linear or ring-formed topology, and 
systems that operate on queues, stacks, integers, and other linear data struc- 
tures. Regular model checking was advocated by Kesten et al. [KMM+01] and 
by Boigelot and Wolper [WB98], as a uniform framework for analyzing several 
classes of parameterized and infinite-state systems. The idea is that regular sets 
will provide an efficient representation of infinite state spaces, and play a role 
similar to that played by Binary Decision Diagrams (BDDs) for symbolic model 
checking of finite-state systems. One can also exploit automata-theoretic algo- 
rithms for manipulating regular sets. Such algorithms have been successfully 
implemented, e.g., in the Mona [HJJ+96] system. 



P. Gardner and N. Yoshida (Eds.): CONCUR 2004, LNCS 3170, pp. 35—48, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 
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A generic task in symbolic model checking is to compute properties of the set 
of reachable states, in order to verify safety properties. For finite-state systems 
this is typically done by state-space exploration, but for infinite-state systems 
this procedure terminates only if there is a bound on the distance (in number 
of transitions) from the initial configurations to any reachable configuration. An 
analogous observation holds if we perform a reachability analysis backwards, by 
iteration-based methods [CES86,QS82] from a set of “unsafe” configurations. A 
parameterized or infinite-state system does not have such a bound, and any non- 
trivial model checking problem is undecidable. In contrast to deductive applica- 
tion of systems like Mona [BK98], the goal in regular model checking is to verify 
system properties algorithmically. An important challenge is therefore to devise 
so-called acceleration techniques, which calculate the effect of arbitrarily long se- 
quences of transitions. This problem has been addressed in regular model check- 
ing [JN00,BJNT00,AJNd02]. In general, the effect of acceleration is not com- 
putable. However, computability have been obtained for certain classes [JNOO]. 
Analogous techniques for computing accelerations have successfully been devel- 
oped for several classes of parameterized and infinite-state systems, e.g., systems 
with unbounded FIFO channels [BG96,BGWW97,BH97,ABJ98], systems with 
stacks [BEM97,Cau92,FWW97,ES01], and systems with counters [BW94,CJ98]. 

In this paper, we survey the available work on regular model-checking. The 
use of regular sets to model and specify systems is discussed in Section 2. Tech- 
niques for computing invariants and reachable loops are surveyed in Section 3. 
Finally, some extensions are discussed in Section 4. 

2 Framework 

Model checking is concerned with automated analysis of transition systems, each 
consisting of 

— a set of configurations (or states), some of which are initial , and 

— a transition relation, which is a binary relation on the set of configurations. 

The configurations represent possible “snapshots” of the system state, and 
the transition relation describes how these can evolve over time. Most work on 
model checking assumes that the set of configurations is finite, but significant 
effort is underway to develop model checking techniques for transition systems 
with infinite sets of configurations. 

In its simplest form, the regular model checking framework represents a tran- 
sition system as follows. 

— A configuration (state) of the system is a word over a finite alphabet E. 

— The set of initial configurations is a regular set over E. 

— The transition relation is a regular and length-preserving relation on E*. It 
is represented by a finite-state transducer over (E x E), which accepts all 
words (ai, a'fi) ■ ■ ■ (a n , a' n ) such that (ai ■ ■ ■ a n , a\ ■ ■ ■ a' n ) is in the transition 
relation. Sometimes, the transition relation is given as a union of a finite 
number of relations, each of which is called an action. 
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Given a transducer T, we often abuse notation and use T also to denote the 
relation defined by the transducer. For a set S of configurations and a binary 
relation T on configurations, let S o T denote the set of configurations w such 
that w' T w for some w' £ S , let T + denote the transitive closure of T and 
T* denote the reflexive transitive closure of T. Let S 2 denote the set of pairs of 
elements in S. 

In the regular model checking framework it is possible to model parame- 
terized systems with linear or ring-shaped topologies, e.g., by letting each po- 
sition in the word model the state of a system component. It is also possible 
to model programs that operate on linear unbounded data structures such as 
queues, stacks, integers, etc. For instance, a stack can be modeled by letting 
each position in the word represent a position in the stack. The restriction 
to length-preserving transducers implies that we cannot dynamically “create” 
new stack positions. Therefore the stack should initially contain an arbitrary 
but bounded number of empty stack positions, which are “statically allocated” . 
We can then faithfully model all finite computations of the system, by ini- 
tially allocating sufficiently many empty stack positions. However, it may not 
be possible to model faithfully all infinite computations of the system. Thus, 
the restriction to length-preserving transducers introduces no limitations for an- 
alyzing safety properties, but may incur restrictions on the ability to specify 
and verify liveness properties of systems with dynamically allocated data struc- 
tures. 



2.1 Examples 

In Figure 1 we consider a token passing protocol : a simple parameterized system 
consisting of an arbitrary (but finite) number of processes organized in a linear 
fashion. Initially, the left-most process has the token. In each step, the process 
currently having the token passes it to the right. A configuration of the system 
is a word over the alphabet {t,n}, where t represents that the process has the 
token, and n represents not having it. For instance, the word nntnn represents a 
configuration of a system with five processes where the third process has the to- 
ken. The set of initial states is given by the regular expression tn* (Figure 1(a)). 
The transition relation is represented by the transducer in Figure 1(b). For in- 
stance, the transducer accepts the word (n, n)(n, n)(t, n)(n , t)(n, n), representing 
the pair (nntnn, nnntn) of configurations where the token is passed from the 
third to the fourth process. 



n 




(a) Automaton for / (b) Transducer T 



Fig. 1. Initial set of states and transition relation 



38 



P.A. Abdulla et al. 



As a second example, we consider a system consisting of a finite-state process 
operating on one unbounded FIFO channel. Let Q be the set of control states of 
the process, and let M be the (finite) set of messages which can reside inside the 
channel. A configuration of the system is a word over the alphabet QuMu{e}, 
where the padding symbol e represents an empty position in the channel. For 
instance the word q\em^m\ee corresponds to a configuration where the process 
is in state q± and the channel (of length four) contains the messages m 3 and mi 
in this order. The set of configurations of the system can thus be described by 
the regular expression Qe*M*e*. 

By allowing arbitrarily many padding symbols e, one can model channels 
of arbitrary but bounded length. As an example, the action where the process 
sends the message m to the channel and changes state from qi to qi is modeled 
by the transducer in Figure 2. In the figure, “M” is used to denote any message 
in M. 




Fig. 2. Transducer for sending a message m to the channel 



2.2 Verification Problems 

We will consider two types of verification problems in this paper. 

The first problem is verification of safety properties. A safety property is of 
form “bad things do not happen during system execution” . A safety property can 
be verified by solving a reachability problem. Formulated in the regular model 
checking framework, the corresponding problem is the following: given a set 
of initial configurations /, a regular set of bad configurations B and a transition 
relation specified by a transducer T, does there exist a path from I to B through 
the transition relation T? This amounts to checking whether (J o T*) n B = 0. 
The problem can be solved by computing the set Inv = I o T* and checking 
whether it intersects B. 

The second problem is verification of liveness properties. A liveness property 
is of form “a good thing happens during system execution” . Often, liveness prop- 
erties are verified using fairness requirements on the model, which can state that 
certain actions must infinitely often be either disabled or executed. Since, by the 
restriction to length-preserving transducers, any infinite system execution can 
only visit a finite set of configurations, the verification of a liveness property can 
be reduced to a repeated reachability problem. The repeated reachability problem 
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asks, given a set of initial configurations I, a set of accepting configurations F 
and a transition relation T, whether there exists an infinite computation from 
I through T that visits F infinitely often. By letting F be the configurations 
where the fairness requirement is satisfied, and by excluding states where the 
“good thing” happens from T, the liveness property is satisfied if and only if the 
repeated reachability problem is answered negatively. 

Since the transition relation is length-preserving, and hence each execution 
can visit only a finite set of configurations, the repeated reachability problem 
can be solved by checking whether there exists a reachable loop containing some 
configuration from F. This can be checked by computing ( Inv n F) 2 n Id and 
checking whether this relation intersects T + . Here Id is the identity relation on 
the set of configurations, and Inv = I oT* is as before. 

Sets like I o T* and relations like T + are in general not regular or even 
computable (note that T could model the computation steps of a Turing ma- 
chine). Even if they are regular, they are sometimes not effectively computable. 
In these cases, the above verification problems cannot be solved by the proposed 
techniques. Therefore, a main challenge in regular model checking is to design 
semi-algorithms which successfully compute such sets and relations for as many 
examples as possible. In Section 3, we briefly survey some techniques that have 
been developed for this purpose. 

2.3 A Specification Logic 

The translation from a problem of verifying liveness under fairness requirements 
to a repeated reachability problem can be rather tricky. One way to make the 
task easier is to provide an intuitive syntax for modeling and specification, which 
can be automatically translated to repeated reachability problems, in analogy 
with the way that linear-time temporal logic formulas are translated to Biichi 
automata [VW86]. 

A logic LTL(MSO) was proposed for regular model checking in [AJN+04]. 
It uses a MSO (monadic second-order logic) over finite words to specify regular 
sets, and LTL to specify temporal properties. The problem of model checking a 
formula in LTL (MSO) can be automatically translated into a repeated reacha- 
bility problem [AJN+04]. 

The logic LTL(MSO) combines (under certain restrictions) temporal opera- 
tors of LTL [KPR98], including □ ( always ) and <C> ( eventually ), and MSO quan- 
tification over positions (first-order) and sets of positions (second-order). Models 
of LTL(MSO) formulas are sequences of configurations (i.e. , words), where the 
first-order position variables denote positions in configurations, and the second- 
order variables denote sets of positions. For instance, if <p(i) is a formula which 
specifies a temporal property at position i in the word, then the formula Vi<0 ’<p{i) 
specifies that tp(i) eventually holds at each position in the word. 

In LTL(MSO), one can represent the configuration of a system by configura- 
tion predicates, which can be seen as Boolean arrays indexed by positions. For 
instance, in the token passing example, we can introduce a configuration predi- 
cate t, where the atomic formula t[i] is interpreted as “the process at position i 
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has the token” , and t' [ i] as “the process at position i will have the token in the 
next time step”. 

Example. Our running example, token passing, is modeled in LTL(MSO) below 
following the style of TLA [Lam94] , where the system and the property of interest 
are both specified by formulas. The local states of processes are represented by 
a configuration predicate t - for every z, we have that t[i] is true if and only if 
process i has the token. The set of initial states is modeled by initial, where only 
the first process has the token. The transition relation where the token is passed 
from position z to position z + 1 is modeled by pass(z). Finally, the entire system 
model is specified by system. The system actions are “one process passes the 
token, or all processes idle”. Models of this formula correspond to runs of the 
system. 



initial = Vz (f[z] +-> z = 0) 
idle(z) = t[i] <-> t'[i\ 

pass(z) = (t[i] A -i t'[i]) A Bj (j = i + 1 A ~^t[j] A t’\j}) A 
Vfc ((fc / i + 1 A fc / i) — > idle(fc)) 
system = initial A m(3z pass(z) V Vz idle(z)) 

An example of a safety property for this system is “two different processes 
may not have the token at the same time”: 

safety = □ Bi,j (z ^ j A t[i) A t[j]) 

In order to specify termination (“the last process eventually gets the to- 
ken”) we add a fairness constraint for the token passing action. For an action 
a, let enabled(a) represent the set of states where the action a can be taken. 
enabled(a) can be expressed in the logic, using an existential quantification of 
the primed configuration predicates in a. 

fairness = Vz Q<C>(pass(z) V -ienabled(pass(z))) 
termination = <C>3z (t[z] A Vj -i (j = z + 1)) 

To check that the algorithm satisfies the safety property, we translate the 
property system A ^safety to a reachability problem. To check that the al- 
gorithm satisfies the liveness property, we translate the property system A 
fairness A ^termination to a repeated reachability problem. 



3 Algorithms 

In Section 2, we stated a verification problem as that of computing a representa- 
tion of IoT* (or T + ) for some transition relation T and some set of configurations 
I. In some cases we also have a set of bad configurations B and we want to check 
whether JoT* fl B / 0. Algorithms for symbolic model checking are often based 
on starting from / and repeatedly applying T. As a running illustration, we will 
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consider the problem of computing the transitive closure T + for the transducer 
in Figure 1(b). A first attempt is to compute T™, the composition of T with 
itself n times for n = 1,2,3,---. For example, T 3 is the transition relation where 
the token gets passed three positions to the right. Its transducer is given below. 



(n,n) 





(n,n) 




A transducer for T + is one where the token gets passed an arbitrary number 
of times, given below. 



(n,n) (n,n) 




(n,n) 




The challenge is to derive the above transducer algorithmically. Obviously, 
it cannot be done naively by simply computing the approximations T n for n = 
1, 2, 3, • • -, since this will not converge. Some acceleration or widening techniques 
must be developed that compute a representation of T + by other means. In this 
section, we present some techniques developed in the literature for that purpose. 



3.1 Quotienting 

Several techniques in the literature are based on suitable quotienting of trans- 
ducers that represent approximations of T n for some value (s) of n. This involves 
finding an equivalence relation ~ on the states of approximations, and to merge 
equivalent states, obtaining a quotient transducer. For instance, in the transducer 
that represents T 3 above, we can define the states 1, 2, and 3 to be equivalent. By 
merging them, we obtain the transducer T 3 / ~ which in this example happens 
to be equivalent to T + . 

One problem is that quotienting in general increases the language accepted 
by a transducer: C(T n ) C C[T n / ~), usually with strict inclusion. This problem 
was resolved in [AJNd02,BJNT00,DLS01,AJMd02] by characterizing equivalence 
relations ~ such that T + is equivalent to (T / ~) + for any transducer T, i.e. , 
the quotienting does not increase the transitive closure of the transducer. To 
explain the idea, let us first build explicitly a transducer for T + as the union of 
transducers T n for n = 1, 2, 3, • • Each state of T n is labeled with a sequence of 
states from T, resulting from the product construction using n copies of T. The 
result is called the history transducer. The history transducer corresponding to 
Figure 1(b) is shown below. 
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(n,t) 



(n,n) 




Recall minimization algorithms for automata. They are based on building 
a forward bisimulation c^p on the states, and then carry out minimization by 
quotienting. For instance, in the above history transducer, all states with names 
of form 2*1 for any i > 0 are forward bisimilar. Analogously, we can find a 
backward bisimulation For instance, all states with names of form 10* , 
i > 0, are backward bisimilar. Dams et al. [DLS01] showed how to combine a 
forward —p and a backward bisimulation into an equivalence relation ~ 
which preserves the transitive closure of the transducer. In [AJNd03] , this result 
was generalized to consider simulations instead of bisimulations. The simulations 
can be obtained by computing properties of the original automaton T (as in 
[AJNd02,AJNd03]), or on successive approximations of T" (as in [DLS01]). 

From the results in [AJNd03] it follows for the above history transducer that 
the states with names in 2*1 can be merged for i > 1, and the same holds for 
10*. The equivalence classes for that transducer would be 2 + , 0 + , 10 + , 2 + l and 
2 + 10 + . Hence, it can be quotiented to the following transducer, which can be 
minimized to the three-state representation shown earlier. 



(n,n) 




3.2 Abstraction 

In recent work, Bouajjani et al. [BHV04] apply abstraction techniques to au- 
tomata that arise in the iterative computation of I o T* . When computing the 
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sequence I, I o T, / o T 2 , 1 o T 3 , ■ ■ ■ the automata that arise in the computation 
may all be different or may be very large and contain information that is not 
relevant for checking whether I o T* has a nonempty intersection with the set 
of bad configurations B. Therefore, each iterate I o T n is abstracted by quo- 
tienting under some equivalence relation In contrast to the techniques of 
[AJNd02,BJNT00,DLS01,AJMd02], the abstraction does not need to preserve 
the language accepted, i.e., (J o T n )/ ~ can be any over-approximation of IoT n 
or even of I o T* . The procedure calculates the sequence of approximations of 
form (((/ o T)/ ~) o T) / ~ • • •. Convergence to a limit T hm can be ensured by 
choosing ~ to have finite index. 

If now T hm n B — 0, we can conclude (by £((/ o T*)) C C(T hm )) that 
I o T* has an empty intersection with B. Otherwise, we try to trace back the 
computation from B to I. If this succeeds, a counterexample has been found, 
otherwise the abstraction must be refined by using a finer equivalence relation, 
from which a more exact approximation T hm can be calculated, etc. 

The technique relies on defining suitable equivalence relations. One way is 
to use the automaton for B. We illustrate this on the token passing example. 
Suppose that B is given by the automaton in Fig 3(a), denoting that the last 
process has the token. Each state q in an automaton A has a post language 
£(A, q) which is the set of words accepted starting from that state. For example, 
in the automaton for B we have C(B, 0) = n*t and C(B, 1) = {e}. The post 
languages are used to define ~, such that q — q' holds if for all states r of B 
we have C(A,q) fl C(B,r) = 0 exactly when £(A,q') n £(B,r) = 0. Each 
equivalence class of ~ can be represented by a Boolean vector indexed by states 
of B, which is true on position s exactly when the equivalence class members 
have nonempty intersection with £(B,s). This is one way to get a finite index 
equivalence relation. 

We show an example of an automaton A in Fig 3(b) with its corresponding 
abstract version in Fig 3(c). Considering the states of A, we observe that the 
post languages of states 0 and 1 both have a nonempty intersection with the 
post language n*t and an empty intersection with the post language containing 
the empty string. The post language of state 2 have an empty intersection with 



n 




(a) Automaton for B 



n n 




(b) An automaton A (c) The abstract version of A 



Fig. 3. Applying abstraction 
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n*t and an nonempty intersection with the post language containing the empty 
string. 

If a spurious counterexample is found, i.e. a counterexample occurring when 
quotienting with an equivalence ~, but not in the original system, we need 
to refine the equivalence and start again. Automata representing parts of the 
counterexample can be used, in the same way as the automaton B above, to 
define an equivalence. In [BHV04], the equivalence is refined by using both B 
and automata representing parts of the counterexample. This prevents the same 
counterexample from occurring twice. Using abstraction can potentially greatly 
reduce the execution time, since we only need to verify that we cannot reach B 
and therefore it may be that less information about the structure of I o T* needs 
to be stored. 

3.3 Extrapolation 

Another technique for calculating IoT* is to speed up the iterative computation 
by extrapolation techniques that try to guess the limit. The idea is to detect a 
repeating pattern - a regular growth - in the iterations, from which one guesses 
the effect of arbitrarily many iterations. The guess may be exactly the limit, or 
an approximation of it. 

In [BJNT00,Tou01], the extrapolation is formulated in terms of rules for 
guessing IoT* from observed growth patterns among the approximations /, I o 
T, I o T 2 , ■ ■ •. Following Bouajjani et al. [BJNTOO], if I is a regular expression p 
which is a concatenation of form p = p\- P2, and in the successive approximations 
we observe a growth of form (pi • P2) ° T = p\- A - p2 for some regular expression 
A, then the guess for the limit poT* is p\ ■ A* ■ p 2 . Touili [TouOl] extends this 
approach to more general situations. One of these is when p is a concatenation 
of form pi ■ . . . ■ p n and 

n— 1 

( Pl ■ ■ ■ Pn) O T — Pi • ... • Pi Ai • pi-\-l ' ’ p n 

2=1 

The guess for the limit poT* is in this case 

pi-A*i-p 2 -A* 2 -...- A* n _i ■ p n 

For example, if p = a*ba* and T is a relation which changes an a to a c, then 
poT is a*ca*ba* U a*ba*ca* (i.e., each step adds either ca* to the left of b or a*c 
to the right). The above rule guesses the limit poT* to be a*(ca*)*b(a*c)*a* . 
Touili also suggests other, more general, rules. 

Having formed a guess p' for the limit, we apply a convergence test which 
checks whether p' = (p'oT) U p. If it succeeds, we can conclude that poT* C p' . 
The work in [BJNTOO] and [TouOl] also provide results which state that under 
some additional conditions, we can in fact conclude that p o T* = p' , i.e., that 
p' is the exact limit. 

Boigelot et al. [BLW03] extend the above techniques by considering growth 
patterns for subsequences of J, / o T, I o T 2 , ■ ■ •, consisting of infinite sequences 
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of sample points, noting that the union of the approximations in any such sub- 
sequence is equal to the union of the approximations in the full sequence. They 
apply this idea to iterate a special case of relations, arithmetic transducers, which 
operate on binary encodings of integers, and give a sufficient criterion for exact 
extrapolation. 

We illustrate these approaches, using our token passing example. From the 
initial set pi = tn* , we get p/oT = ntn * , p/oT 2 = nntn* , p/oT 3 = nnntn* , and 
so on. The methods above detect the growth pi oT = n- pi, and guess that the 
limit is n*tn*. In this case, the completeness results of [BJNT00,Tou01] allow to 
conclude that the guessed limit is exact. 



n 



(a) Automaton for pi 



n 




(b) Automaton for pi oT 





(c) Extrapolated automaton 

Fig. 4. Extrapolating token passing 



4 Further Directions 



In previous sections, we have presented main techniques in regular model check- 
ing for the case where system configurations are modeled as finite words, and 
transition relations are modeled as length-preserving transducers. In this section, 
we briefly mention some work where these restrictions are lifted. 
Non-Length-Preserving Transducers. Lifting the restriction of length-preserv- 
ation from transducers allows to model more easily dynamic data structures 
and parameterized systems of processes with dynamic process creation. The 
techniques have been extended, see, e.g., [DLS01,BLW03]. 

Infinite Words. The natural extension to modeling systems by infinite words has 
been considered by Boigelot et al. [BLW04], having the application to real arith- 
metic in mind. Regular sets and transducers must then be represented by Biichi 
automata. To avoid the high complexity of some operations on Biichi automata, 
the approach is restricted to sets that can be defined by weak deterministic Biichi 
automata. 

Finite Trees. Regular sets of trees can in principle be analyzed in the same way 
as regular sets of words, as was observed also in [KMM+01]. With some complica- 
tions, similar techniques can be used for symbolic verification 
[AJMd02,BT02], Some techniques have been implemented and used to verify 
simple token-passing algorithms [A JMd02] , or to perform data-flow analysis for 
parallel programs with procedures [BT02]. 
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Context Free Languages. Fisman and Pnueli [FP01] use representations of con- 
text-free languages to verify parameterized algorithms, whose symbolic verifica- 
tion require computation of invariants that are non-regular sets of finite words. 
The motivating example is the Peterson algorithm for mutual exclusion among 
n processes [PS81]. 
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Abstract. In this paper we show how a resource-oriented logic, sep- 
aration logic, can be used to reason about the usage of resources in 
concurrent programs. 



1 Introduction 

Resource has always been a central concern in concurrent programming. Often, 
a number of processes share access to system resources such as memory, pro- 
cessor time, or network bandwidth, and correct resource usage is essential for 
the overall working of a system. In the 1960s and 1970s Dijkstra, Hoare and 
Brinch Hansen attacked the problem of resource control in their basic works on 
concurrent programming [8, 9, 11, 12, 1, 2]. In addition to the use of synchroniza- 
tion mechanisms to provide protection from inconsistent use, they stressed the 
importance of resource separation as a means of controlling the complexity of 
process interactions and reducing the possibility of time-dependent errors. This 
paper revisits their ideas using the formalism of separation logic [22]. 

Our initial motivation was actually rather simple-minded. Separation logic 
extends Hoare’s logic to programs that manipulate data structures with embed- 
ded pointers. The main primitive of the logic is its separating conjunction, which 
allows local reasoning about the mutation of one portion of state, in a way that 
automatically guarantees that other portions of the system’s state remain unaf- 
fected [16]. Thus far separation logic has been applied to sequential code but, 
because of the way it breaks state into chunks, it seemed as if the formalism 
might be well suited to shared-variable concurrency, where one would like to 
assign different portions of state to different processes. 

Another motivation for this work comes from the perspective of general 
resource-oriented logics such as linear logic [10] and BI [17]. Given the develop- 
ment of these logics it might seem natural to try to apply them to the problem 
of reasoning about resources in concurrent programs. This paper is one attempt 
to do so - separation logic’s assertion language is an instance of BI but it is 
certainly not a final story. Several directions for further work will be discussed 
at the end of the paper. 

There are a number of approaches to reasoning about imperative concurrent 
programs (e.g., [19, 21, 14]), but the ideas in an early paper of Hoare on concur- 
rency, “Towards a Theory of Parallel Programming [11]” (henceforth, TTPP), 
fit particularly well with the viewpoint of separation logic. The approach there 
revolves around a concept of “spatial separation” as a way to organize think- 
ing about concurrent processes, and to simplify reasoning. Based on compiler- 



P. Gardner and N. Yoshida (Eds.): CONCUR 2004, LNCS 3170, pp. 49-67, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 




50 



P.W. O’Hearn 



enforceable syntactic constraints for ensuring separation, Hoare described formal 
partial-correctness proof rules for shared-variable concurrency that were beau- 
tifully modular: one could reason locally about a process, and simple syntactic 
checks ensured that no other process could tamper with its state in a way that 
invalidated the local reasoning. 

So, the initial step in this work was just to insert the separating conjunction 
in appropriate places in the TTPP proof rules, or rather, the extension of these 
rules studied by Owicki and Gries [20] . Although the mere insertion of the sep- 
arating conjunction was straightforward, we found we could handle a number of 
daring, though valuable, programming idioms, and this opened up a number of 
unexpected (for us) possibilities. 

To describe the nature of the daring programs we suppose that there is a 
way in the programming language to express groupings of mutual exclusion. 
A “mutual exclusion group” is a class of commands whose elements (or their 
occurrences) are required not to overlap in their executions. Notice that there 
is no requirement of atomicity; execution of commands from a mutual exclu- 
sion group might very well overlap with execution of a command not in that 
group. In monitor-based concurrency each monitor determines a mutual exclu- 
sion group, consisting of all calls to the monitor procedures. When program- 
ming with semaphores each semaphore s determines a group, the pair of the 
semaphore operations P(s ) and V(s). In TTPP the collection of conditional 
critical regions withr when I? do C with common resource name r forms a mu- 
tual exclusion group. With this terminology we may now state one of the crucial 
distinctions in the paper. 

A program is cautious if, whenever concurrent processes access the same 
piece of state, they do so only within commands from the same mutual 
exclusion group. Otherwise, the program is daring. 

Obviously, the nature of mutual exclusion is to guarantee that cautious pro- 
grams are not racy, where concurrent processes attempt to access the same 
portion of state at the same time without explicit synchronization. The simplic- 
ity and modularity of the TTPP proof rules is achieved by syntactic restrictions 
which ensure caution; a main contribution of this paper is to take the method 
into the realm of daring programs, while maintaining its modular nature. 

Daring programs are many. Examples include: double-buffered I/O, such as 
where one process renders an image represented in a buffer while a second process 
is filling a second buffer, and the two buffers are switched when an image changes; 
efficient message passing, where a pointer is passed from one process to another 
to avoid redundant copying of large pieces of data; memory managers and other 
resource managers such as thread and connection pools, which are used to avoid 
the overhead of creating and destroying threads or connections to databases. 
Indeed, almost all concurrent systems programs are daring, such as microkernel 
OS designs, programs that manage network connectivity and routing, and even 
many application programs such as web servers. 

But to be daring is to court danger: If processes access the same portion of 
state outside a common mutual exclusion grouping then they just might do so at 
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the same time, and we can very well get inconsistent results. Yet it is possible to 
be safe, and to know it, when a program design observes a principle of resource 
separation. 

Separation Property. At any time, the state can be partitioned into that 
“owned” by each process and each mutual exclusion group. 

When combined with the principle that a program component only accesses 
state that it owns, separation implies race-freedom. 

Our proof system will be designed to ensure that any program that gets 
past the proof rules satisfies the Separation Property. And because we use a 
logical connective (the separating conjunction) rather than scoping constraints to 
express separation, we are able to describe dynamically changing state partitions, 
where ownership (the right to access) transfers between program components. 
It is this that takes us safely into the territory of daring programs. 

This paper is very much about fluency with the logic - how to reason with 
it rather than its metatheory; we refer the reader to the companion paper by 
Stephen Brookes for a thorough theoretical analysis [4]. In addition to soundness, 
Brookes shows that any proven program will not have a race in an execution 
starting from a state satisfying its precondition. 

After describing the proof rules we give two examples, one of a pointer- 
transferring buffer and the other of a toy memory manager. These examples are 
then combined to illustrate the modularity aspect. The point we will attempt 
to demonstrate is that the specification for each program component is “local” 
or “self contained”, in the sense that assertions make local remarks about the 
portions of state used by program components, instead of global remarks about 
the entire system state. Local specification and reasoning is essential if we are 
ever to have reasoning methods that scale; of course, readers will have to judge 
for themselves whether the specifications meet this aim. 

This is a preliminary paper. In the long version we include several further 
examples, including two semaphore programs and a proof of parallel mergesort. 



2 The Programming Language 

The presentation of the programming language and the proof rules in this section 
and the next follows that of Owicki and Gries [20] , with alterations to account for 
the heap. As there, we will concentrate on programs of a special form, where we 
have a single resource declaration, possibly prefixed by a sequence of assignments 
to variables, and a single parallel composition of sequential commands. 

init\ 

resource rq (variable list), ..., r m (variable list) 

Ci\\---\\C n 

It is possible to consider nested resource declarations and parallel composi- 
tions, but the basic case will allow us to describe variable side conditions briefly 
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Table 1 . Sequential Commands 



C ::= x \= E | x := [E] \ [ E] := F \ x := cons(i?i, E n ) | dispose(_E) 
skip j C; C | if B then C else C | while B do C 
with r when B do C 

E,F ::= x,y,... | 0 | 1 | E + F \ E x F \ E-F 
B ::= false \B=^B\E — F\E<F 



in an old-fashioned, wordy style. We restrict to this basic case mainly to get 
more quickly to examples and the main point of this paper, which is explo- 
ration of idioms (fluency) . We refer to [4] for a more modern presentation of the 
programming language, which does not observe this restricted form. 

A grammar for the sequential processes is included in Table 1. They include 
constructs for while programs as well as operators for accessing a program heap. 
The operations [ E\ := F and x := [E\ are for mutating and reading heap cells, 
and the commands x := cons(i?i, ... ,E n ) and dispose(E) are for allocating and 
deleting cells. Note that the integer expressions E are pure, in that they do not 
themselves contain any heap dereferencing [•]. Also, although expressions range 
over arbitrary integers, the heap is addressed by non-negative integers only; the 
negative numbers can be used to represent data apart from the addresses, such 
as atoms and truth values, and we will do this without comment in examples 
like in Section 4 where we include true, false and nil amongst the expressions 
E (meaning, say, —1, —2 and —3). 

The command for accessing a resource is the conditional critical region: 

with r when B do C . 

Here, B ranges over (heap independent) boolean expressions and C over 
commands. Each resource name determines a mutual exclusion group: two with 
commands for the same resource name cannot overlap in their executions. Exe- 
cution of with r when B do C can proceed if no other region for r is currently 
executing, and if the boolean condition B is true; otherwise, it must wait until 
the conditions for it to proceed are fulfilled. 

It would have been possible to found our study on monitors rather than 
CCRs, but this would require us to include a procedure mechanism and it is 
theoretically simpler not to do so. 

Programs are subject to variable conditions for their well-formedness (from 
[20] ) . We say that a variable belongs to resource r if it is in the associated variable 
list in a resource declaration. We require that 

1. a variable belongs to at most one resource; 

2. if variable x belongs to resource r, it cannot appear in a parallel process 
except in a critical region for r; and 

3. if variable x is changed in one process, it cannot appear in another unless it 
belongs to a resource. 
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Table 2. Assertions 



Syntax 

P, Q, R ::= B I emp | E ^ F \ P * Q | false | P => Q \ Vx.P 
Abbreviations 

-i P = P => false; true = -i(false); P V Q = ( _I -P) =>■ Q\ P A Q = 
-.(-iP V -nQ); 3®. P = -A/*. -.p 

E I — * Po , ■ - ■ , Pro — (P I — * Po )*•••* (p 3“ Tl I — > Pro ) 

P i — ( — = 3 j.Phj (j/ ^Free(P)) 



For the third condition note that a variable a; is changed by an assignment 
command x := -, but not by [ x ] := E; in the latter it is a heap cell, rather than 
a variable, that is altered. 

These conditions ensure that any variables accessed in two concurrent pro- 
cesses must be protected by synchronization. For example, the racy program 

x := 3 || x := x + 1 

is ruled out by the conditions. In the presence of pointers these syntactic restric- 
tions are not enough to avoid all races. In the legal program 

M ; = 3 II [y] ■= 4 

if x and y denote the same integer in the starting state then they will be aliases 
and we will have a race, while if x and y are unequal then there will be no race. 



3 Proof Rules 

The proof rules below refer to assertions from separation logic; see Table 2. The 
assertions include the points-to relation E i— > P, the separating conjunction *, 
the empty-heap predicate emp, and all of classical logic. The use of • • • in the 
grammar means we are being open-ended, in that we allow for the possibility 
of other forms such as the -* connective from BI or a predicate for describing 
linked lists, as in Section 5. A semantics for these assertions has been included 
in the appendix. 

Familiarity with the basics of separation logic is assumed [22]. For now we 
only remind the reader of two main points. First, P*Q means that the (current, 
or owned) heap can be split into two components, one of which makes P true 
and the other of which makes Q true. Second, to reason about a dereferencing 
operation we must know that a cell exists in a precondition. For instance, if 
{P}[10] := 42{Q} holds, where the statement mutates address 10, then P must 
imply the assertion (10 i— > -) * true that 10 not be dangling. Thus, a precondition 
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confers the right to access certain cells, those that it guarantees are not dangling; 
this provides the connection between program logic and the intuitive notion of 
“ownership” discussed in the introduction. 

To reason about a program 
init\ 

resource r \ (variable list), r m (variable list) 

C 1 \\---\\C n 

we first specify a formula RI ri , the resource invariant, for each resource name 
r,;. These formulae must satisfy 

— any command x := ■ ■ • changing a variable x which is free in RI ri must occur 
within a critical region for r,. 

Owicki and Gries used a stronger condition, requiring that each variable free 
in RI ri belong to resource r,. The weaker condition is due to Brookes, and allows 
a resource invariant to connect the value of a protected variable with the value 
of an unprotected one. 

Also, for soundness we need to require that each resource invariant is “pre- 
cise” . The definition of precision, and an example of Reynolds showing the need 
to restrict the resource invariants, is postponed to Section 7; for now we will just 
say that the invariants we use in examples will adhere to the restriction. 

In a complete program the resource invariants must be separately established 
by the initialization sequence, together with an additional portion of state that 
is given to the parallel processes for access outside of critical regions. The re- 
source invariants are then removed from the pieces of state accessed directly by 
processes. This is embodied in the 
Rule for Complete Programs 

{P}init{RI ri *■■■* RI rm * P'} {P’}Ci || • • ■ || C n {Q} 

{P} 

init\ 

resource rq (variable list), ..., r m (variable list) 

Ci || • • • || C n 

{RI ri * ■ ■■ * RIr m * Q} 

For a parallel composition we simply give each process a separate piece of 
state, and separately combine the postconditions for each process. 

Parallel Composition Rule 

{PijC^Ch} ••• {Pn}C n {Q n } 

no variable free in Pi or Qi 
{Pi * • • • * P n } Ci 1 | • • • || C n {Qi * • • • * Q n } is changed in Cj when j ^ i 

Using this proof rule we can prove a program that has a potential race, as 
long as that race is ruled out by the precondition. 

{x i — ► 3} [x] := 4 {x i — s- 4} {y i— > 3} [y] := 5 {y i— > 5} 

{x i— > 3 * y i— > 3} [x] := 4 || [y\ := 5 {x i— > 4 * y i— > 5} 

Here, the * in the precondition guarantees that x and y are not aliases. 
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It will be helpful to have an annotation notation for (the binary case of) 
the parallel composition rule. We will use an annotation form where the overall 
precondition and postcondition come first and last, vertically, and are broken up 
for the annotated constituent processes; so the just-given proof is pictured 

{x e- > 3 * y e- > 3} 

{x i— > 3} {y 3} 

[x\ ■= 4 j| [y] := 5 
{x i — s- 4} {y i— > 5} 

{x e- > 4 * y e- > 5} 

The reasoning that establishes the triples {Pj}Cj{Qj} for sequential pro- 
cesses in the parallel rule is done in the context of an assignment of invariants 
RI ri to resource names r,. This contextual assumption is used in the 

Critical Region Rule 

{(P * RI r ) A B} C {Q * RI r } No other process modifies 
{P}with r when B do C {Q} variables free in P or Q 

The idea of this rule is that when inside a critical region the code gets to see 
the state associated with the resource name as well as that local to the process it 
is part of, while when outside the region reasoning proceeds without knowledge 
of the resource’s state. 

The side condition “No other process...” refers to the form of a program as 
composed of a fixed number of processes C\ || • • • j| C n , where an occurrence of 
a with command will be in one of these processes C 3 . 

Besides these proof rules we allow all of sequential separation logic; see the 
appendix. The soundness of proof rules for sequential constructs is delicate in 
the presence of concurrency. For instance, we can readily derive 

{10 i — ► 3}x := [10]; x := [10]{(10 ^ 3) A x = 3} 

in separation logic, but if there was interference from another process, say alter- 
ing the contents of 10 between the first and second statements, then the triple 
would not be true. 

The essential point is that proofs in our system build in the assumption 
that there is “no interference from the outside”, in that processes only affect 
one another at explicit synchronization points. This mirrors a classic program 
design principle of Dijkstra, that “apart from the (rare) moments of explicit 
intercommunication, the individual processes are to be regarded as completely 
independent of each other” [8]. It allows us to ignore the minute details of po- 
tential interleavings of sequential programming constructs, thus greatly reducing 
the number of process interactions that must be accounted for in a verification. 

In sloganeering terms we might say that well specified processes mind their 
own business : proven processes only dereference those cells that they own, those 
known to exist in a precondition for a program point. This, combined with the 
use of * to partition program states, implements Dijkstra’s principle. 
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These intuitive statements about interference and ownership receive formal 
underpinning in Brookes’s semantic model [4]. The most remarkable part of his 
analysis is an interplay between an interleaving semantics based on traces of 
actions and a “local enabling” relation that “executes” a trace in a portion of 
state owned by a process. The enabling relation skips over intermediate states 
and explains the “no interference from the outside” idea. 



4 Example: Pointer- Transferring Buffer 

For efficient message passing it is often better to pass a pointer to a value from 
one process to another, rather than passing the value itself; this avoids unneeded 
copying of data. For example, in packet-processing systems a packet is written to 
storage by one process, which then inserts a pointer to the packet into a message 
queue. The receiving process, after finishing with the packet, returns the pointer 
to a pool for subsequent reuse. Similarly, if a large file is to be transmitted 
from one process to another it can be better to pass a pointer than to copy its 
contents. This section considers a pared-down version of this scenario, using a 
one-place buffer. 

In this section we use operations cons and dispose for allocating and deleting 
binary cons cells. (To be more literal, dispos e(E) in this section would be 
expanded into dispose(if); dispose(£’ + 1) in the syntax of Section 2.) 

The initialization and resource declaration are 

full := false; 
resource buf(c,full) 

and we have code for putting a value into the buffer and for reading it out. 

put(x) = with buf when —ifull do 

c := x; full := true; 

get (y) = with buf when full do 

■y := c; full := false; 

For presentational convenience we are using definitions of the form 
name(£e) = with r when B do C 

to encapsulate operations on a resource. In this we are not introducing a proce- 
dure mechanism, but are merely using name(£c) as an abbreviation. 

We focus on the following code. 

x := cons(a, 6); || get(y); 

put (a;); use(y); 

dispos e(y); 

This creates a new pointer in one process, which points to a binary cons cell 
containing values a and b. To transmit these values to the other process, instead 
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of copying both a and b the pointer itself is placed in the buffer. The second 
process reads the pointer out, uses it in some way, and finally disposes it. To 
reason about the dispose operation in the second process, we must ensure that 
t/H-,- holds beforehand. At the end of the section we will place these code 
snippets into loops, as part of a producer/consumer iidiom, but for now will 
concentrate on the snippets themselves. 

The resource invariant for the buffer is 

RIbuf '■ (full A c i— > -, -) V (-1 full A emp) . 

To understand this invariant it helps to use the “ownership” or “permission” 
reading of separation logic, where an assertion P at a program point implies that 
“I have the right to dereference the cells in P here”, or more briefly, “I own P” 
[18]. According to this reading the assertion c e- > — , — says “I own binary cons 
cell c” (and I don’t own anything else). The assertion emp does not say that the 
global state is empty, but rather that “I don’t own any heap cells, here” . Given 
this reading the resource invariant says that the buffer owns the binary cons cell 
associated with c when full is true, and otherwise it owns no heap cells. 

Here is a proof for the body of the with, command in put (a:). 

{(RIbuf * * A -'full} 

{(—'full A emp) * x i — ► , - } 

{x i ^ -,-} 
c := x; full := true 
{full A c i — ► — , } 

{Rhuf} 

{RIbuf * emp} 

The rule for with commands then gives us 
{x i— > -, }put(a’){emp}. 

The postcondition indicates that the sending process gives up ownership of 
pointer x when it is placed into the buffer, even though the value of x is still 
held by the sender. 

A crucial point in the proof of the body is the implication 
full Ach-,- =£. RIbuf 

which is applied in the penultimate step. This step reflects the idea that the 
knowledge a x points to something” flows out of the user program and into the 
buffer resource. On exit from the critical region x does indeed point to something 
in the global state, but this information cannot be recorded in the postcondition 
of put. The reason is that we used c i— > — , - to re-establish the resource invariant; 
having x i— > -, - as the postcondition would be tantamount to asserting (x i— > 
-,-) * (c i— > -,-) at the end of the body of the with command, and this assertion 
is necessarily false when c and x are equal, as they are at that point. 

The flipside of the first process giving up ownership is the second’s assumption 
of it: 
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{(RIbuf* emp) A full} 

{full A c i— > } 

y := c; full := false 
{y a -^full} 

{(->full A emp) * y i— > -} 

{RIbuf* y 

which gives us 

{emp}get( 2 /){y i-> }. 

We can then prove the parallel processes as follows, assuming that usefy) 
satisfies the indicated triple. 

{emp * emp} 

{emp} {emp} 

x := cons(a, 6); || get (y)\ 

{x i-> -,-} {y 

put(x); use(y); 

{emp} {y-^--} 

dispose}?/); 

{emp} 

{emp * emp} 

{emp} 

Then using the fact that the initialization establishes the resource invariant 
in a way that gets us ready for the parallel rule 

{emp} 

full := false 
{-i full A emp} 

{RIbuf * emp * emp} 

we obtain the triple {emp}prog{f?/j u j} for the complete program prog. 

In writing annotated programs we generally include assertions at program 
points to show the important properties that hold; to formally connect to the 
proof theory we would sometimes have to apply an axiom followed by the Hoare 
rule of consequence or other structural rules. For instance, in the left process 
above we used x >— > - as the postcondition of x := cons(a, b ); to get there from 
the “official” postcondition ina,i)we just observe that it implies x i— > We 

will often omit mention of little implications such as this one. 

The verification just given also shows that if we were to add a command, say 
x.l := 3, that dereferences x after the put command in the left process then 
we would not be able to prove the resulting program. The reason is that emp 
is the postcondition of put (a:), while separation logic requires that x point to 
something (be owned) in the precondition of any operation that dereferences x. 

In this verification we have concentrated on tracking ownership, using asser- 
tions that are type-like in nature: they say what kind of data exists at various 
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Table 3. Pointer-passing Producer/Consumer Program 



{emp} 

full := false; 

{emp A -i full } 
{RIbuf* em P * emp} 
resource buf(c,full) 
{emp * emp} 

{emp} 

while true do 
{emp} 

produce(a, 6); 
x := cons (a, 6); 
put(z); 

{emp} 

{false} 

{false * false} 
{RIbuf* false} 
{false} 



{emp} 

while true do 
{emp} 
get (y)\ 
use(y); 
dispose}?/); 
{emp} 
{false} 



program points, but do not speak of the identities of the data. For instance, 
because the assertions use -, - they do not track the flow of the values a and b 
from the left to the right process. To show stronger correctness properties, which 
track buffer contents, we would generally need to use auxiliary variables [20] . 

As it stands the code we have proven is completely sequential: the left process 
must go first. Using the properties we have shown it is straightforward to prove 
a producer/consumer program, where these code snippets are parts of loops, as 
in Table 3. In the code there emp is the invariant for each loop, and the overall 
property proven ensures that there is no race condition. 



5 Example: Memory Manager 

A resource manager keeps track of a pool of resources, which are given to re- 
questing processes, and received back for reallocation. As an example of this we 
consider a toy manager, where the resources are memory chunks of size two. The 
manager maintains a free list, which is a singly-linked list of binary cons cells. 
The free list is pointed to by /, which is part of the declaration 

resource 

The invariant for mm is just that / points to a singly-linked list without any 
dangling pointers in the link fields: 

RImm • list f. 




60 



P.W. O’Hearn 



The list predicate is the least satisfying the following recursive specification. 

listx •<==>■ (x = nil A emp) V (By. x i— > y * list y) 

When a user program asks for a new cell, mm gives it a pointer to the first 
element of the free list, if the list is nonempty. In case the list is empty the mm 
calls cons to get an extra element. 

alloc(x, a, b) = with mm when true do 

if / = nil then x := cons (a, b) 
else x := /; / := x.2; x.l := a; x.2 := b 

dealloc(y) = with mm when true do 

y - 2 ~ /; 

/ == y; 

The command / := x.2 reads the cdr of binary cons cell x and places it into 
/. We can desugar x.2 as [x + 1] in the RAM model of separation logic, and 
similarly we will use x.l for [x] to access the car of a cons cell. 

Using the rule for with commands we obtain the following “interface speci- 
fications” : 

{emp}alloc(x, a, b){x i— > a , b} {y i— > }dealloc(y){emp}. 

The specification of alloc(x, o, b) illustrates how ownership of a pointer ma- 
terializes in the user code, for subsequent use. Conversely, the specification of 
dealloc requires ownership to be given up. The proofs of the bodies of these 
operations using the with rule describe ownership transfer in much the same 
way as in the previous section, and are omitted. 

Since we have used a critical region to protect the free list from corruption, 
it should be possible to have parallel processes that interact with mm. A tiny 
example of this is just two processes, each of which allocates, mutates, then 
deallocates. 



{emp * emp} 

{emp} 

alloc(x, a, 6); 

{x i— > a, 6} 
x.l := 4 || 

{x i— > 4 , b} 
dealloc(x); 

{emp} 

{emp * emp} 

{emp} 

This little program is an example of one that is daring but still safe. To see 
the daring aspect, consider an execution where the left process goes first, right 
up to completion, before the right one begins. Then the statements mutating 
x.l and y.l will in fact alter the same cell, and these statements are not within 



{emp} 

alloc(y, a', b '); 

{y ^ a',V} 
y. 1 := 7 
{y >->■ 7 , b'} 

dealloc(j/); 

{emp} 
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critical regions. However, although there is potential aliasing between x and y, 
the program proof tells us that there is no possibility of racing in any execution. 

On the other hand, if we were to insert a command x.l := 8 immediately 
following dealloc(:r) in the leftmost process then we would indeed have a race. 
However, the resulting program would not get past the proof rules, because the 
postcondition of dealloc(a;) is emp. 

The issue here is not exclusive to memory managers. When using a connection 
pool or a thread pool in a web server, for example, once a handle is returned to 
the pool the returning process must make sure not to use it again, or inconsistent 
results may ensue. 

6 Combining the Buffer and Memory Manager 

We now show how to put the treatment of the buffer together with the home- 
grown memory manager mm , using alloc and dealloc instead of cons and 
dispose. The aim is to show different resources interacting in a modular way. 

We presume now that we have the resource declarations for both mm and 
buf . ’ and their associated resource invariants. Here is the proof for the parallel 
processes in Section 4 done again, this time using mm. 

{emp * emp} 

{emp} 

alloc(a:, a, b)\ 

{x } 

put(x); 

{emp} 

{emp * emp} 

{emp} 

In this code, a pointer’s ownership is first transferred out of the mm resource 
into the lefthand user process. It then gets sent into the buf resource, from where 
it taken out by the rightlrand process and promptly returned to mm. 

The initialization sequence and resource declaration now have the form 

full := false; 

resource buf(c,full), mm(f) 
and we have the triple 

{list (f)} full := false {RIbuf * RImm * emp * emp} 

which sets us up for reasoning about the parallel composition. We can use the 
rule for complete programs to obtain a property of the complete program. 

The point is that we did not have to change any of the code or verifications 
done with mm or with buf inside the parallel processes; we just used the same 
preconditions and postconditions for get, put, alloc and dealloc, as given to 



{emp} 

get(y); 

{y ^ - - } 

use(y); 

{y ^ - - } 

dealloc (j/); 
{emp} 
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us by the proof rule for CCRs. The crucial point is that the rule for CCRs does 
not include the resource invariant in the “interface specification” described by 
the conclusion of the rule. As a result, a proof using these specifications does 
not need to be repeated, even if we change the implementation and internal 
resource invariant of a module. Effective resource separation allows us to present 
a localized view, where the state of a resource is hidden from user programs 
(when outside critical regions). 



7 The Reynolds Counterexample 

The following counterexample, due to John Reynolds, shows that the concur- 
rency proof rules are incompatible with the usual Hoare logic rule of conjunction 

i p}c{Q} { p'}cm 

{P A P'}C{Q A Q'} 

The example uses a resource declaration 
resource r() 
with invariant 

RI r = true. 

Let one stand for the assertion 10 i— > -. First, we have the following derivation 
using the axiom for skip, the rule of consequence, and the rule for critical regions. 

{true}skip{true} 

{(emp V one) * true}skip{emp * true} 

{emp V onejwith. r when true do skip {emp} 

Then, from the conclusion of this proof, we can construct two derivations: 
{emp V one}with r when true do skip {emp} 

{emp}with r when true do skip {emp} 

{emp * one}with r when true do skip {emp * one} 

{one}with r when true do skip {one} 

and 

{emp V one}with r when true do skip {emp} 

{one}with r when true do skip {emp} 

Both derivations begin with the rule of consequence, using the implications 
emp =>• emp V one and one => emp V one. The first derivation continues with an 
application of the ordinary frame rule, with invariant one, and one further use 
of consequence. 

The conclusions of these two derivations are incompatible with one another. 
The first says that ownership of the single cell is kept by the user code, while 
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the second says that it is swallowed up by the resource. An application of the 
conjunction rule with these two conclusions gives us the premise of the following 
which, using the rule of consequence, leads to an inconsistency. 

{one A onejwith r when true do skip {emp A one} 

{onejwith r when true do skip {false} 

The last triple would indicate that the program diverges, where it clearly 
does not. 

The fact that the resource invariant true does not precisely say what storage 
is owned conspires together with the nondeteministic nature of * to fool the proof 
rules. A way out of this problem is to insist that resource invariants precisely nail 
down a definite area of storage [18]. In the semantic notation of the appendix, 

an assertion P is precise if for all states (s, h) there is at most one subheap 
h' C h where s,h' \= P. 

The subheap h! here is the area of storage that a precise predicate identifies. 

The Reynolds counterexample was discovered in August of 2002, a year after 
the author had described the proof rules and given the pointer-transferring buffer 
example in an unpublished note. Realizing that the difficulty in the example had 
as much to do with information hiding as concurrency, the author, Yang and 
Reynolds studied a version of the problem in a sequential setting, where precise 
resource invariants were used to describe the internal state of a module [18]. The 
more difficult concurrent case was then settled by Brookes [4]; his main result is 

Theorem (Brookes): the proof rules are sound if all resource invariants 
are precise predicates. 

This rules out Reynolds’s counterexample because true is not a precise pred- 
icate. And the resource invariants in the one-place buffer and the toy memory 
manager are both precise. 



8 Conclusion 

It may seem as if the intuitive points about separation made in this paper should 
apply more generally than to shared- variable concurrency; in particular, it would 
be interesting to attempt to provide modular methods for reasoning about pro- 
cess calculi using resource-oriented logics. In CSP the concepts of resource sep- 
aration and sharing have been modelled in a much more abstract way than in 
this paper [13]. And the 7r-calculus is based on very powerful primitives for name 
manipulation [15] , which are certainly reminiscent of pointers in imperative pro- 
grams. In both cases it is natural to wonder whether one could have a logic 
which allows names to be successively owned by different program components, 
while maintaining the resource separation that is often the basis of system de- 
signs. However, the right way of extending the ideas here to process calculi is 
not obvious. 
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A line of work that bears a formal similarity to ours is that of Caires, Cardelli 
and Gordon on logics for process calculi [6,5]. Like here, they use a mixture 
of substructural logic and ordinary classical logic and, like here, they consider 
concurrency. But independence between processes has not been emphasized in 
their work - there is no analogue of what we called the Separation Property - 
and neither have they considered the impact of race conditions. Their focus is 
instead on the expression of what they call “intensional” properties, such as the 
number of connections between two processes. So, although similar in underlying 
logical technology, their approach uses this technology in a very different way. 

The idea of ownership is, as one might expect, central in work on Ownership 
Types [7]. It would be interesting to attempt to describe a formal connection. 

Stepping back in time, one of the important early works on reasoning about 
imperative concurrent programs was that of Owicki and Gries [19]. A difference 
with the work here is that our system rules out racy programs, while theirs does 
not. However, they handle racy programs by assuming a fixed level of granular- 
ity, where if we were to make such an assumption explicit (using a critical region) 
such programs would not be, in principle, out of reach of our methods. More im- 
portantly, the Owicki-Gries method involves explicit checking of non-interference 
between program components, while our system rules out interference in an im- 
plicit way, by the nature of the way that proofs are constructed. The result is 
that the method here is more modular. 

This last claim is not controversial; it just echoes a statement of Owicki and 
Gries. There are in fact two classic Owicki-Gries works, one [20] which extends 
the approach of Hoare in TTPP, and another [19] which is more powerful but 
which involves explicit non-interference checking. They candidly acknowledge 
that “the proof process becomes much longer” in their more powerful method; 
one way to view this work is as an attempt to extend the more modular of 
the two approaches, where the proof process is shorter, to a wider variety of 
programs. 

There are a number of immediate directions for future work. One is the incor- 
poration of passivity, which would allow read-only sharing of heap cells between 
processes. Another is proof methods that do not require complete resource sep- 
aration, such as the rely-guarantee method [14,23], where the aim would be to 
use separation logic’s local nature to cut down the sizes of rely and guarantee 
conditions. A third is the incorporation of temporal features. Generally, how- 
ever, we believe that the direction of resource-oriented logics offers promise for 
reasoning about concurrent systems, as we hope to have demonstrated in the 
form of proofs and specifications given in this paper. 
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Appendix: Sequential Separation Logic 

Reasoning about atomic commands is based on the “small axioms” where x,m,n 
are assumed to be distinct variables. 

{ E ^ } [E] := F {E ^ F} 

{E i— > } dispose(P) {emp} 

{x = m A emp}x := cons(Pi, ..., E^){x i— > Ei[m/x], ..., Ek[m/x}} 

{i = nA emp} x := E {x = (E[n/x}) A emp} 

{E i— > n A x = m} x := [E] {x = n A E[m/x] i— > n} 

Typically, the effects of these “small” axioms can be extended using the frame 
rule: 

{.P} C {Q} (j doesn’t change 

{P*R}C{Q*R} variables free in R 

In addition to the above we have the usual proof rules of standard Hoare logic. 

{PAB}C{P} P=kP' {P'}C{Q'} Q' =>Q 

{P}while B do C{P A ~^B} {P}C{Q} 

{P}Ci{Q} {Q}C 2 {R} 

{P}skip{P} {P}C i; C 2 {R} 

{P /\B}C {Q} {P A ~^B} C' {Q} 

{P} if B then C else C'{Q} 

Also, although we have not stated them, there is a substitution rule and a rule 
for introducing existential quantifiers, as in [16]. 

We can use P =k Q in the consequence rule when s,h \= P =k Q holds for all 
s and h in the semantics below (when the domain of s contains the free variables 
of P and Q.) Thus, the semantics is, in this paper, used as an oracle by the proof 
system. 

A state consists of two components, the stack s e S and the heap h e H, 
both of which are finite partial functions as indicated in the following domains. 

Variables = {x, y, ...} Nats = {0, 1, 2...} 

Ints = {..., —1, 0, 1, ...} H = Nats Ints 

S = Variables — Ints States = S X H 
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Integer and boolean expressions are determined by valuations 
[P]s e Ints [P]s e {true, false} 



where the domain of s e S includes the free variables of E or B. We use the 
following notations in the semantics of assertions. 

1. dom(h ) denotes the domain of definition of a heap h e H, and dom{s) is the 
domain of s e S; 

2. hffh! indicates that the domains of h and h! are disjoint; 

3. h ■ h! denotes the union of disjoint heaps (i.e., the union of functions with 
disjoint domains); 

4. (/ | i i— > j) is the partial function like / except that i goes to j. 

The satisfaction judgement s,h \= P which says that an assertion holds for a 
given stack and heap. (This assumes that Free(P) C dom(s), where Free(P) is 
the set of variables occurring freely in P.) 



s, h \= B iff [Bjs = true 

s,h \= P => Q iff if s,h\= P then s,h\= Q 

s,h\=\/x.P iff Vi> e Ints. [s | x e- > v), h \= P 

s,h \= emp iff h = [] is the empty heap 

s,h\= E F iff {[P]s} = dom{h ) and /i([P]s) = [P]s 

s,h \= P * Q iff 3ho, hi . ho#hi, ho ■ hi = h, s , ho \= P and s, hi \ = Q 



Notice that the semantics of E i— > F is “exact” , where it is required that E is 
the only active address in the current heap. Using * we can build up descriptions 
of larger heaps. For example, (10 i — > 3) * (11 i— > 10) describes two adjacent cells 
whose contents are 3 and 10. 

The “permissions” reading of assertions is intimately related to the way the 
semantics above works with “portions” of the heap. Consider, for example, a 
formula 



list(/) * x i — ► , 

as was used in the memory manager example. A heap h satisfying this formula 
must have a partition h = ho * hi where ho contains the free list (and nothing 
else) and hi contains the binary cell pointed to by x. It is evident from this 
that we cannot regard an assertion P on its own as describing the entire state, 
because it might be used within another assertion, as part of a * conjunct. 
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Abstract. We develop new methods to statically bound the resources 
needed for the execution of systems of concurrent, interactive threads. 
Our study is concerned with a synchronous model of interaction based 
on cooperative threads whose execution proceeds in synchronous rounds 
called instants. Our contribution is a system of compositional static anal- 
yses to guarantee that each instant terminates and to bound the size of 
the values computed by the system as a function of the size of its pa- 
rameters at the beginning of the instant. 

Our method generalises an approach designed for first-order func- 
tional languages that relies on a combination of standard termination 
techniques for term rewriting systems and an analysis of the size of the 
computed values based on the notion of quasi-interpretation. These two 
methods can be combined to obtain an explicit polynomial bound on the 
resources needed for the execution of the system during an instant. 



1 Introduction 

The problem of bounding the usage made by programs of their resources has al- 
ready attracted considerable attention. Automatic extraction of resource bounds 
has mainly focused on (first-order) functional languages starting from Coblram’s 
characterisation [13] of polynomial time functions by bounded recursion on no- 
tation. Following work, see, e.g ., [6,14,15,16], has developed various inference 
techniques that allow for efficient analyses while capturing a sufficiently large 
range of practical algorithms. 

Previous work [9,17] has shown that polynomial time or space bounds can 
be obtained by combining traditional termination techniques for term rewriting 
systems with an analysis of the size of computed values based on the notion of 
quasi-interpretation. Thus, in a nutshell, resource control relies on termination 
and bounds on data size. In [3], we have considered the problem of automatically 
inferring quasi-interpretations in the space of multi-variate max-plus polynomi- 
als. In [2], we have presented a virtual machine and a corresponding bytecode 
for a first-order functional language and shown how size and termination anno- 
tations can be formulated and verified at the level of the bytecode. In particular, 
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we can derive from the verification an explicit polynomial bound on the space 
required to execute a given bytecode. 

Our approach to resource bound certification follows distinctive design deci- 
sions. First, we allow the space needed for the execution of a program to vary 
depending on the size of its arguments. This is in contrast to most approaches 
that try to enforce a constant space bound. While this latter goal is reason- 
able for applications targeting embedded devices, it is not always relevant in 
the context of mobile code. Second, our method is applicable to a large class 
of algorithms and does not impose specific syntactical restrictions on programs. 
For example, we depart from works based on a linear usage of variables [14] . 

Our approach to resource control should be contrasted with traditional worst 
case execution time technology (see, e.g., [20]): our bounds are less precise but 
they apply to a larger class of algorithms and are functional in the size of the 
input, which seems more appropriate in the context of mobile code. In another 
direction, one may compare our approach with the one based on linear logic 
(see, e.g., [11]). While in principle the linear logic approach supports higher- 
order functions, the approach does not offer yet a user-friendly programming 
language. 

In this work, we aim at extending and adapting these results to a concurrent 
framework. Our starting point, is a quite basic and popular model of parallel 
threads interacting on shared variables. The kind of concurrency we consider 
is a cooperative one. This means that by default a running thread cannot be 
preempted unless it explicitly decides to return the control to the scheduler. In 
preemptive threads, the opposite hypothesis is made: by default a running thread 
can be preempted at any point unless it explicitly requires that a series of actions 
is atomic. We refer to, e.g., [19] for an extended comparison of the cooperative 
and preemptive models. Our viewpoint is pragmatic: the cooperative model is 
closer to the sequential one and many applications are easier to program in the 
cooperative model than in the preemptive one. Thus, as a first step, it makes 
sense to develop a resource control analysis for the cooperative model. 

The second major design choice is to assume that the computation is reg- 
ulated by a notion of instant. An instant lasts as long as a thread can make 
some progress in the current instant. In other terms, an instant ends when the 
scheduler realizes that all threads are either stopped, or waiting for the next 
instant, or waiting for a value that no thread can produce in the current instant. 
Because of this notion of instant, we regard our model as synchronous. Because 
the model includes a logical notion of time, it is possible for a thread to react to 
the absence of an event. 

The reaction to the absence of an event, is typical of synchronous languages 
such as Esterel [8]. Boussinot et al. have proposed a weaker version of this 
feature where the reaction to the absence happens in the following instant [7] 
and they have implemented it in various programming environments based on 
C, Java, and Scheme. They have also advocated the relevance of this concept 
for the programming of mobile code and demonstrated that the possibility for 
a ‘synchronous’ mobile agent to react to the absence of an event is an added 
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factor of flexibility for programs designed for open distributed systems, whose 
behaviours are inherently difficult to predict. 

Recently, Boudol [5] has proposed a formalisation of this programming model. 
Our analysis will essentially focus on a small fragment of this model where higher- 
order functions are ruled out and dynamic thread creation, and dynamic memory 
allocation are only allowed at the very beginning of an instant. We believe that 
what is left is still expressive and challenging enough as far as resource control 
is concerned. Our analysis goes in three main steps. A first step is to guarantee 
that each instant terminates (Section 4). A second step, is to bound the size of 
the computed values as a function of the size of the parameters at the beginning 
of the instant (Section 5). A third step, is to combine the termination and size 
analyses. Here we show how to obtain polynomial bounds on the space needed 
for the execution of the system during an instant as a function of the size of 
the parameters at the beginning of the instant (Section 6). We expect that one 
could derive polynomial bounds on time as well, by adapting the work in [17]. 

A characteristic of our static analyses is that to a great extent they make 
abstraction of the memory and the scheduler. This means that each thread can 
be analysed separately, that the complexity of the analyses grows linearly in the 
number of threads, and that an incremental analysis of a dynamically changing 
system of threads is possible. Preliminary to these analyses, is a control flow 
analysis (Section 3) that guarantees that each thread reads each register at most 
once in an instant. We will see that without this condition, it is very easy to 
achieve an exponential growth of the space needed for the execution. From a 
technical point of view, the benefit of this read once condition is that it allows to 
regard behaviours as functions of their initial parameters and the registers they 
may read in the instant. Taking this functional viewpoint, we are able to adapt 
the main techniques developed for proving termination and size bounds in the 
first-order functional setting. 

We point out that our static size analyses are not intended to predict the size 
of the system after arbitrary many instants. This is a harder problem which in 
general seems to require an understanding of the global behaviour of the system: 
typically one has to find an invariant that shows that the parameters of the 
system stay within certain bounds. For this reason, we believe that in practice 
our static analyses should be combined with a dynamic controller that at the 
end of each instant checks the size of the parameters of the system. 

Omitted proofs may be found in a long version of this paper [1] in which we 
describe our programming model up to the point where a bytecode for a simple 
virtual machine implementing our synchronous language is defined. The long 
version also provides a number of programming examples illustrating how some 
synchronous and/or concurrent programming paradigms can be represented in 
our model (some simple examples are given at the end of Section 2). These 
examples suggest that the constraints imposed by the static analyses are not too 
severe and that their verification can be automated. 
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2 A Model of Synchronous Cooperative Threads 

A system of synchronous cooperative threads is described by: (1) a list of mutu- 
ally recursive type definitions, (2) a list of shared registers (or global variables) 
with a type and a default value, and (3) a list of mutually recursive functions 
and behaviours definitions relying on pattern matching. In this respect, the re- 
sulting programming language is reminiscent of Erlang [4], which is a practical 
language to develop concurrent applications. 

The set of instructions a behaviour can execute is rather minimal. Indeed, our 
language is already in a pre-compiled form where registers are assigned constant 
values and behaviours definitions are tail recursive. However, it is quite possible 
to extend the language and our analyses to have registers’ names as first-class 
values and general recursive behaviours. 

Expressions. We rely on standard notation. If a, (3 are formal terms then 
Var(a) is the set of free variables in a (variables in patterns are not free) and 
[a/x\(3 denotes the substitution of a for x in (3. If h is a function, h[u/i] denotes 
a function update. 

Expressions and values are built from a finite number of constructors, ranged 
over by c, c', . • • We use /, /',■■■ to range over function identifiers and x, x',. . . 
for variables, and distinguish the following three syntactic categories: 

v ::= c(i>, . . . , v) (values) 

p ::= x | c (p, . . . ,p) (patterns) 

e ::= x | c(e, . . . , e) | /(e, . . . , e) (expressions) 

The size of an expression \e\ is defined as 0 if e is a constant or a variable 
and 1 + Aj e i..„|ej| if e is of the form c(ei, . . . , e n ) or /(e i, . . . , e n ). 

A function of arity n is defined by a sequence of pattern-matching rules of the 
form f(pi) = be i, . . . , f(pk) = bek, where bei is either an expression or a thread 
behaviour (see below), and pi, . . . ,pk are sequences of length n of patterns. We 
follow the usual hypothesis that the patterns in p 1? . . . , p k are linear (a variable 
appears at most once). For the sake of simplicity, we will also assume that in a 
function definition a sequence of values v matches exactly a sequence of patterns 
Pi in a function definition. This hypothesis can be relaxed. 

Inductive types are defined by equations of the shape t = • • • | c of {t\ * 
• • • * t n ) | • • • • For instance, the type of natural numbers in unary format can be 
defined as follows: nat = z | s of nat. Functions, values, and expressions are 
assigned first order types of the shape (t± * ■ ■ ■ * t n ) — > t where t, t\, . . . , t n are 
inductive types. 

Behaviours. Some function symbols may return a thread behaviour b , b' , . . . 
rather than a value. In contrast to ‘pure’ expressions, a behaviour does not 
return a result but produces side- effects by reading and writing a set of global 
registers, ranged over by r, r', . • • A behaviour may also affect the scheduling 
status of the thread executing it (see below). 




72 



R.M. Amadio and S. Dal Zilio 



be , . . . e | b 

b , b' , . . . ::= stop | yield . b || /(e) | next ./(e) | r := e.6 | 

match r with pi => b\ \ ■ ■ ■ \ pk => bk | [a;] => /(e) 

The effect of the various instructions is informally described as follows: stop, 
terminates the executing thread for ever; yield. b, halts the execution and hands 
over the control to the scheduler - the control should return to the thread later 
in the same instant and execution resumes with 6; /(e) and next. /(e) switch 
to another behaviour immediately or at the beginning of the following instant; 
r := e.b , evaluates the expression e, assigns its value to r and proceeds with the 
evaluation of 6; match r with pi => &i \ ■ ■ ■ \ pk => bk | [a;] => /(e), waits until 
the value of r matches one of the patterns p\,...,pk (there could be no delay) 
and yields the control otherwise. At the end of the instant, if the value of r is 
v and no rule filters v then start the next instant with the behaviour [v/x\f(e). 
By convention, when the [a:] => . . . branch is omitted, it is intended that if the 
match conditions are not satisfied in the current instant, then they are checked 
again in the following one. 

Systems. Every thread has a status , ranged over by X,X', . . . , that is a value 
in {N, R, S, W} — where N stands for next, R for run, S for stop, and W for 
wait. A system of synchronous threads B, B ' , ... is a finite mapping from thread 
indexes to pairs (behaviour, status). Each register has a type and a default value 
— its value at the beginning of an instant — and we use s, s', . . . to denote a 
store , an association between registers and their values. We suppose the thread 
indexes i , k, . . . range over Z n = {0, 1, . . . , n — 1} and that at the beginning of 
each instant the store is s 0 , such that each registers is assigned its default value. 
If B is a system and i £ Z„ a valid thread index then we denote with B\ (i) the 
behaviour executed in the thread i and with I? 2 (*) its current status. Initially, 
all threads have status R , the current thread index is 0, and Bffi) is a behaviour 
expression of the shape f{v). It is a standard exercise to formalise a type system 
of simple first-order functional types for such a language and, in the following, 
we assume that all systems we consider are well typed. 

Operational Semantics. The operational semantics is described by three rela- 
tions of growing complexity, presented in Table 1: (1) e 1J. v, the closed expression 
e evaluates to the value v; (2) (6, s)— >(&' , s'), the behaviour b with store s runs an 
atomic sequence of actions till b', producing a store s', and returning the control 
to the scheduler with status X; during an instant, we can have the following 
status transitions in a thread: R — » S,W,N and W —> R, the last transition 
corresponds to a thread blocked on the behaviour match rwith . . . and no filters 
match the value of r; (3) ( B,s,i ) — > ( B',s',i ') the system B with store s and 
current thread (index) i runs an atomic sequence of actions (performed by Bi{i)) 
and becomes ( B',s',i '). 

Scheduler. The reduction relation, see Table 1, relies on the function A f that 
computes the index of the next thread that should run in the current instant and 
the function U that updates the status of the thread at the end of an instant. 
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To ensure progress of the scheduling, we assume that if A f returns an index 
then it must be possible to run the corresponding thread in the current instant 
and that if A f is undefined (denoted A f(. ■ • ) T) then no thread can be run in the 
current instant. In addition, one could arbitrarily enrich the functional behaviour 
of the scheduler by considering extensions such that Af depends on the history, 
the store, and/or is defined by means of probabilities. When no more thread can 
run, the instant ends and the following status transitions take place N — > R, 
W — * R. For simplicity, we assume here that every thread in status W takes the 
[x\ => . . . branch. Note that the function Af is undefined on the updated system 
if and only if all threads are stopped. 

The Cooperative Fragment. The ‘cooperative’ fragment of the model with 
no synchrony is obtained by removing the next instruction and assuming that 
for all match instructions the branch [x ] =>■ /(e) is such that /(■••) = stop. Then 
all the interesting computation happens in the first instant, and in the second 
instant all the threads terminate. This fragment is already powerful enough to 
simulate, e.g., Kahn networks (see examples in [1]). 

Example 1 (Channels and Signals). As shown in our informal presentation of 
behaviours, the match instruction allows one to read a register subject to cer- 
tain filter conditions. This is a powerful mechanism which recalls, e.g., Linda 
communication [12], and that allows to encode various forms of channel and 
signal communication. 

(1) We want to represent a one place channel c carrying values of type t. We 
introduce a new type ch(t) = empty | full of t and a register c of type ch(t) with 
default value empty. A thread should send a message on c only if c is empty 
and it should receive a message only if c is not empty (a received message is 
discarded). These operations can be modelled using the following two derived 
operators: 

send(c, e).b =def match c with empty => c := full(e) .b 
receive(c, x).b =def match c with fu 1 1 (a;) => c := empty, b 

(2) We want to represent a fifo channel c carrying values of type t such that a 
thread can always emit a value on c but may receive only if there is at least one 
message in the channel. We introduce a new type fch(t) = nil | cons of t * fch(t) 
and a register c of type fch(t) with default value nil. Hence a fifo channel is 
modelled by a register holding a list of values. We consider two read operations 

freceive to fetch the first message on the channel and freceiveall to fetch the 
whole queue of messages — and we use the auxiliary function insert to queue 
messages at the end of the list: 

fsend(c, e).b =def match c with l => c := insertfe, l) .b 
freceive(c ,x).b =def match c with cons(x, Z) => c := l.b 
freceiveall(c, x).b =d e f match c with cons (y,l) => c := nil.[cons(y, l)/x]b 

insert(x, nil) = cons(a:, nil) , insertfx , cons(y, l )) = cons (y, insert(x, l)) 

(3) We want to represent a signal s with the typical associated primitives: 
emitting a signal and blocking until a signal is present. We define a type sig = 
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Table 1. Operational semantics 



Expression evaluation: 

e JJ. v eJJ.u, f(p) = e, ap = v, a(e ) JJ. v 

c(e) JJ- c(v) /(e) JJ. v 



Behaviour reduction: 



(stop, s) 4 (stop, s) (yield. 6 , s) -5- (6, s) (next ./(e), s) (/(e), s) 

no pattern matches s(r) 

(match r with . . . , s) —> (match r with . . . , s) 



ap = s(r), (ab,s) ^ (b',s') 

(match r with ■ ■ ■ | p => b . . . , s) i (&', s') 

f(p) = b , crp = v, (ab, s) 4 (b',s') e JJ v, (b, s[v/r]) A (b\ s’) 

(/(e), s) (6', s') (r := e.b, s) (6', s') 



System reduction: 

(Bi(i),s) 4 (b',s'), B 2 (i) = R, B' = B[{b’,X)/i\, Af(B', s', i) = k 

(B,s, i) ^ (B'[(B[(k),R)/k],s',k) 

(Bi(i),s)* (6', s'), B 2 (i) = R , B' = B[(6',A')/i], A/(B', s',i) {, 

B" =U{B',s'), Af(B" , So, 0) = k 

(B,s,i) — > (B" , So, k) 



Conditions on the scheduler: 

If Af(B, s, i) = j then B 2 (j) = R or ( B 2 (j) = W and 

Bi(j) = match r with ■ ■ ■ p b \ . . . ,up = s(r) ) 

If A f(B, s, i) T then Vfc G Z„, S 2 (fc) € {IV, 5} or ( S 2 (fc) = IT, 

Bi(k) = match rwith . . . and no pattern matches s(r) ) 
((b,S) if B(t) = (b,S) 

U{B, s) (z) = l ( b , R) if B(i) = (b, N) 

I (fs(r)/*](/(e)),I?) if B(i) = (match rwith • • • | \x\ =>■ /(e), W) 
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abst | prst and a register s of type sig with default value abst, meaning that a 
signal is originally absent: 

emit(s).fe =def s := prst. b wait(s).6 = de f match s with prst => b 

3 Control Flow Analysis 

To bound the resources needed for the execution of a system and make possible 
a compositional analysis, a preliminary control flow analysis is required. We 
require and statically check on the control flow, that threads can read any given 
register at most once in an instant. The following simple example shows that 
without the read once restriction, a thread can use a register as an accumulator 
and produce an exponential growth of the size of the data within an instant. 

Example 2. Let nat = z | s of nat be the type of tally natural numbers. The 
function dble, defined by the two rules dble( z) = z and dble(s(n)) = s(s (dble(n))) 
doubles a number so that \dble(n)\ = 2|n|. We assume r is a register of type nat 
with initial value s(z). Now consider the following recursive behaviour: 

exp( z) = stop , exp(s(n)) = match r with to => r := dble (in), exp (n) 

The evaluation of exp(n) involves |n| reads to the register r and, after each 
read operation, the size of the value stored in r doubles. Hence, at end of the 
instant, the register contains a value of size 2l n L 

The read once condition is comparable to the restriction on the absence of 
immediate cyclic definitions in Lustre and does not appear to be a severe 
limitation on the expressiveness of the language. An important consequence of 
the read once condition is that a behaviour can be described as a function of 
its parameters and the registers it may read during an instant. We stress that 
we retain the read once condition for its simplicity, however it is clear that one 
could weaken the condition and adapt the analysis given in Section 3.1 to allow 
the execution of a read instruction at most a constant number of times. 

3.1 Enforcing the Read Once Condition 

We now describe a simple analysis that guarantees the read once condition. 
Consider the set Reg = {r 1 ,...,r TO } of the registers as an alphabet. To every 
function symbol / whose result is a behaviour, we associate the least language 
R(f) of words over Reg such that e, the empty word, is in R(f) and the following 
conditions are satisfied: 

if (f(Pi) = k)iei..n are the rules of / then R(f) = de f R(f) • Uiei ,. n R ( b i) > 

l?(match r with pi => b\ \ ■ ■ ■ \ p n => b n | [a:] => g(e)) = de f M • U iG i.. ra R ( b i) i 
R( stop) = {e} , R(g(e)) = R(g) , R( r := e.b) = R(b ) , 

R(y\e\d.b) = R(b), R(next.g(e)) = {e} . 

Looking at the words in R(f), we get an over-approximation of the sequences 
of registers that a thread can read in an instant starting from the control point 
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/ with arbitrary parameters and store. Note that an expression can never read 
or write a register. 

To determine the sets R{f ), we perform an iterative computation according 
to the equations above. The iteration stops when either (1) we reach a fixpoint 
(and we are sure that the property holds) or (2) we notice that a word in the 
current approximation of R{f) contains the same register twice (thus we never 
need to consider words whose length is greater than the number of registers). 
If the first situation occurs, then for every function symbol / that returns a 
behaviour we can obtain a list of registers r f that a thread starting from control 
point / may read. We are going to consider these registers as hidden parameters 
(variables) of the function /. If the second condition occurs, we cannot guarantee 
the read once property and we stop analysing the code. 

Example 3. This will be the running example for this section. We consider the 
representation of signals as in Example 1(3). We assume two signals sig and ring. 
The behaviour alarm(n,m) will emit a signal on ring if it detects that no signal 
is emitted on sig for m consecutive instants. The alarm delay is reset to n if the 
signal sig is present. 

alarm(x , z) = ring := prst.stop , 

alarm( x, s (y)) = match sig with prst =£■ next. alarm(x,x) | [_] alarm(x,y) 

By computing R on this example, we obtain: R(alarm) = {e} • (I?(ring := 
prst.stop) U I?(match sig with . . . )) = {e} • ({e} U ({sig} • {e})) = {e, sig}. 

3.2 Control Points 

We define a symbolic representation of the set of states reachable by a thread 
based on the control flow graph of its behaviours. A control point is a triple 
be,i) where, intuitively, / is the currently called function, p represents 
the patterns crossed so far in the function definition plus possibly the registers 
that still have to be read, be is the continuation, and i is an integer flag in 
{0,1,2} that will be used to associate with the control point various kinds of 
conditions. We associate with a system satisfying the read once condition a 
finite number of control points. If the function / returns a value and is defined 
by the rules f(pi) = e\ ,...,f(p n ) = e n , then we associate with / the set 
{(/(Pi), ei,0), . . . , (f(p n ), e n , 0)}. 

On the other hand, if the function / is a behaviour defined by the rules 
f(pi) = f{p n ) = bn then the computation of the control points proceeds 

as follows. We assume that the registers have been ordered and that for every be- 
haviour definition /, we have an ordered vector ry of registers that may be read 
within an instant starting from /. (The vector r f is obtained from R(f)). With 
every such / we associate a fresh function symbol f + whose arity is that of / plus 
the length of r f and we regard the registers as part of the formal parameters of 
f + . Then from the definition of / we produce the set U,Gi..n C(/ + ; (P») r /)> bf), 
where C(f + ,p,b) is defined inductively on b as follows: 
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C(f + 1 p,b) = case b of 
stop ■ {(f + (p),b, 2)} 

3(e) : {(/ + (P),M)} 

yield. b' : {(/+(p), b, 2)} U C(/+p, 6') 

next. (/(e) : {(/+(p), b, 2), (/+(p), g(e), 2)} 

r := e.6' : {(/+(p), 6, 2), (/+(p), e, 1)} U C(/+p, 6') 

match r with pi => &i | • • • | p n => b n | [a;] => 5(e) : {(/ + (p), b, 2), 

(/"^d^/rb)^^): 2 )} U C(/+([pi/r]p),6i)U...UC(/+([p n /r]p),6 n ) 

By inspecting the definitions, we can check that a control point (/(p), be,i) 
has the property that Var(be) C Var(p). The read once condition is instru- 
mental to this property. For instance, (i) in case (/(e), we know that if g can 
read some register r then r could not have been already read by / and (ii) in 
the case of the match operator, we know that the register r has not been al- 
ready read by /. Hence, in these two cases, the register r must still occur in 
P 

Example 4- With reference to Example 3, we obtain the following control points: 

{alarm + {x, z, sig), ring := prst.stop, 2) ( alarm + {x , z, sig), prst, 1) 

(alarm + (x, z, sig), stop, 2) (alarm + (x, s(y), sig), match ...,2) 

( alarm + {x , s (//), prst), next. alarm(x, x),2) ( alarm + (x , s (//), prst), alarm(x, x),2) 
( alarm + {x , s(y), _), alarm(x, y), 2) 



Definition 1. Hn instance of a control point ( f(p ), &,z) is a behaviour b' = ab, 
where a is a substitution mapping the free variables in b to values. 

The property of being an instance of a control point is preserved by (be- 
haviour and) system reduction. Thus the control points associated with a system 
do provide a representation of all reachable configurations. 

Proposition 1 . Suppose ( B,s,i ) — > ( B\s',i ') and that for all thread indexes 
j € Z„, Bi(j) is an instance of a control point. Then for all j £ Z n , we have 
that B[(j ) is an instance of a control point. 

In order to prove the termination of the instant and to obtain a bound on 
the size of computed value, we associate order constraints to control points as 
follows: 

Control point: (/(p),e, 0), (/+(p), g(e), 0), (/+(p),e,l), (/+(p),&e,2) 

Constraint: f{p)>~ oh f + {p) ^0 9 + { e , r g), / + (p) >~i e, no constraints 

We say that a constraint e >-* e! has index i. We rely on the constraints of 
index 0 to enforce termination of the instant and on those of index 0 or 1 to 
enforce a bound on the size of the computed values. Note that the constraints are 
on pure first order terms, a property that allows us to reuse techniques developed 
in the standard term rewriting framework. 
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Example 5. With reference to the control points in Example 4, we obtain the 
constraint alarm + (x, z, sig) ^ prst. We note that no constraints of index 0 
are generated and so in this simple case the control flow analysis can already 
establish the termination of the thread and all is left to do is to check that the 
size of the data is under control, which will also be easily verified. 

4 Termination of the Instant 

We recall that a reduction order > over first-order terms is a well-founded order 
that is closed under context and substitution: t > s implies C[t] > C[s] and 
at > as, where C is any one hole context and a is any substitution (see, e.g, [10]). 

Definition 2 (Termination Condition). We say that a system satisfies the 
termination condition if there is a reduction order > such that all constraints of 
index 0 associated with the system hold in the reduction order. 

In this section, we assume that the system satisfies the termination condition. 
As expected this entails that the evaluation of closed expressions succeeds. 

Proposition 2. Let e be a closed expression. Then there is a value v such that 
e JJ- v and e > v with respect to the reduction order. 

Moreover, the following proposition states that a behaviour will always return 
the control to the scheduler. 

Proposition 3 (Progress). Let b be an instance of a control point. Then for 
all stores s, ( b,s ) ( b',s 

Finally, we show that at each instant the system will reach a configuration 
in which the scheduler detects the end of the instant and proceeds to the reini- 
tialisation of the store and the status (as specified by rule (S 2 ) in Table 1). 

Theorem 1 (Termination of the Instant). All sequences of system reduc- 
tions involving only rule (si) are finite. 

Proposition 3 and Theorem 1 are proven by exhibiting a suitable well-founded 
measure which is based both on the reduction order and the fact that the number 
of reads a thread may perform in an instant is finite. 

Example 6. We consider a recursive behaviour monitoring the register i (acting 
as a fifo channel) and parameterised on a number x representing the largest value 
read so far. At each instant, the behaviour reads the list l of values received on 
i and assigns to o the greatest number in x and l. 

f(x) = yield. match i with l => fi(maxl(l, x)) fi{ x ) = o := x.next./(x) 

max(z,y) = y , max (s(x),z) = s(x) , max(s(x), s(y)) = s(max(x,y)) 
maxl{n\\,x) =x , maxl(cons(y,l),x) = maxl(l,max(y,x)) 

It is easy to prove the termination of the thread by recursive path order- 
ing, where the function symbols are ordered as f + > fi > maxi > max, the 
arguments of maxi are compared lexicographically from left to right, and the 
constructor symbols are incomparable and smaller than any function symbol. 
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5 Quasi-Interpretations 

Our next task is to control the size of the values computed by the threads. A 
suitable notion of quasi-interpretation [17,3] provides a modular solution to this 
problem. 

Definition 3 (Assignment). Given a program, an assignment q associates 
with constructors and function symbols, functions over the positive reals M + 
such that: 

(1) If c is a constant then q c is the constant 0, 

(2) If c is a constructor with arity n > 1 then q c is the function in (R + )" — > R + 
such that q c {x i, . . . , x n ) = d + £i e i„ n Xi, for some d > 1, 

(3) if f is a function (identifier) with arity n then qf : (K + ) n — > R + is monotonic 
and for all i £ l..n we have qf(x \ , . . . , x n ) > Xi . 

An assignment q is extended to all expressions e as follows, giving a function 
expression q e with variables in Var(e): 

dx = x , (?c(e = Qc(Q ei ,---,QeJ , df(e i,...,e n ) = 9/(<?ei , • • • , 5eJ • 

It is easy to check that for all values v, there exists a constant d depending 
on the quasi-interpretation such that: |u| < q v < d ■ |i>|. 

Definition 4 (Quasi-Interpretation). An assignment is a quasi-interpretation, 
if for all constraints associated with the system of the shape f(p) >-$ e, with 
i £ {0,1}, the inequality qf( p ) > q e holds over the non-negative reals. 

Quasi-interpretations are designed so as to provide a bound on the size of 
the computed values as a function of the size of the input data. In the follow- 
ing, we assume given a suitable quasi-interpretation, q , for the system under 
investigation. 

Example 7. With reference to Examples 2 and 6, the following assignment is a 
quasi-interpretation (we give no quasi-interpretations for the function exp be- 
cause it fails the read once condition): 

9nii = <7z = 0 , q s (x) = x + l, q cons (x,l) = x + l+1 , q d bie (x) = 2 • x , 
q f +(x, i) = x + i + 1 , q f +(x) = x, q max i{x,y) = q max (x, y) = max(x, y) . 

One can show [3] that in the purely functional fragment of our language every 
value v computed during the evaluation of an expression /( iq, . . . ,v n ) satisfies 
the following condition: 

M 7; q X A Qf(v I,...,v n ) = dfid Vl ? * • • } Qv n ) < qf{d\vi\,...,d\v n \) . (1) 

We generalise this result to threads as follows. 
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Theorem 2. Given a system of synchronous threads B, suppose that at the 
beginning of the instant Bi(i) = f(y) for some thread index i. Then the size of 
the values computed by the thread i during an instant is bound by qf+( v , u ) where 
u are the values contained in the registers r f when they are read by the thread 
(or some constant value, otherwise). 

Theorem 2 is proven by showing that quasi-interpretations satisfy a suitable 
invariant. In general, a value computed and written by a thread can be read by 
another thread. However, at each instant, we have a bound on the number of 
threads and the number of reads that can be performed. We can then derive a 
bound on the size of the computed values which depends only on the size of the 
parameters at the beginning of the instant. 

Corollary 1. Let B be a system with m registers and n threads. Suppose B\(i) = 
fiivi) for i £ Z n . Let c be a bound of the size of the largest parameter of the 
functions fi and the largest defaidt value of the registers. Suppose h is a function 
bounding all the quasi-interpretations, that is, for all the functions f)~ we have 
h( x) > q^+ (x , . . . , x) over the non-negative reals. Then the size of the values 
computed by the system B during an instant is bound by h n ' m+1 (c). 

Example 8. The n • in iterations of the function h predicted by Corollary 1 corre- 
spond to a tight bound, as shown by the following example. We assume n threads 
and m registers (with default value z). The control of each thread is described 
as follows, where writeall(e).b stands for the behaviour tq := e. • • • .r m := e.b: 

fix o) = match iq with aq writeall(dble(max(x i,a’o))). 
match r 2 with xi writeall(dble{ x 2 )). 

match r m with x m =>■ writeaZZ(dWe(ai m )).next./((fWe(a: m )) . 

For this system we have c > |x 0 | and h{x) = qdbie(x) = 2 • x. It is easy to 
show that, at the end of an instant, there have been m ■ n assignments to each 
register (m for every thread in the system) and that the value stored in each 
register is dble m ' n {x 0 ) of size 2 m n ■ |xo|. 



6 Combining Termination and Quasi-Interpretations 

To bound the space needed for the execution of a system during an instant we 
also need to bound the number of nested recursive calls, i.e., the number of 
frames that can be found on the stack (a precise definition of frame is given in 
the long version of this paper [1]). Unfortunately, quasi-interpretations provide a 
bound on the size of the frames but not on their number (at least not in a direct 
implementation that does not rely on memoization). One way to cope with this 
problem is to combine quasi-interpretations with various families of reduction 
orders [9,17]. In the following, we provide an example of this approach based on 
recursive path orders which is a widely used and fully meclranisable technique to 
prove termination [10]. 
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Definition 5. We say that a system terminates by LPO, if the reduction order 
associated with the system is a recursive path order where: (1) function symbols 
are compared lexicographically; (2) constructor symbols are always smaller than 
function symbols and two distinct constructor symbols are incomparable; (3) the 
arguments of constructor symbols are compared componentwise (product order). 

Definition 6. We say that a system admits a polynomial quasi-interpretation 
if it has a quasi-interpretation where all functions are bound by a polynomial. 

Theorem 3. If a system B terminates by LPO and admits a polynomial quasi- 
interpretation then the computation of the system in an instant runs in space 
polynomial in the size of the parameters of the threads at the beginning of the 
instant. 

The proof of Theorem 3 is based on Corollary 1 that provides a polynomial 
bound on the size of the computed values and on an analysis of nested calls in 
the LPO order that can be found in [9]. The point is that the depth of such 
nested calls is polynomial in the size of the values, which allows us to effectively 
compute a polynomial bounding the space necessary for the execution of the 
system. We stress that beyond proving that a system ‘runs in PSPACE’, we can 
extract a definite polynomial that depends on the quasi-interpretation and that 
bounds the size needed to run a system during an instant. 

Example 9. With reference to Example 6, we can check that the order used there 
is indeed a LPO. From the quasi-interpretation in Example 7, we can deduce 
that the function h(x) has the shape a ■ x + b (it is affine). More precisely, we 
can choose h{x) = 2 • x + 1. In practice, many useful functions admit quasi- 
interpretations bound by an affine function such as the max-plus polynomials 
considered in [3]. Note that the parameter of the thread is the largest value 
received so far. Clearly, bounding the value of this parameter for arbitrary many 
instants requires a global analysis of the system. 



7 Conclusion 

The execution of a thread in a cooperative synchronous model can be regarded as 
a sequence of instants. One can make each instant simple enough so that it can be 
described as a function — our experiments with writing sample programs show 
that the restrictions we impose do not hinder the expressivity of the language. 
Then well-known static analyses used to bound the resources needed for the 
execution of first-order functional programs can be extended to handle systems 
of synchronous cooperative threads. We believe this provides some evidence for 
the relevance of these techniques in concurrent/embedded programming. We 
also expect that our approach can be extended to a richer programming model 
including, e.g., references as first-class values, transactions-like primitives for 
error recovery, more elaborate mechanisms for preemption, . . . 

The static analyses we have considered do not try to analyse the whole sys- 
tem. On the contrary, they focus on each thread separately and can be carried 
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out incrementally. On the basis of our previous work [2] and the virtual machine 
presented in [1], we expect that these analyses can be performed at bytecode 
level. These characteristics are particularly interesting in the framework of ‘mo- 
bile code’ where threads can enter or leave the system at the end of each instant 
as described in [5]. 
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Abstract. We propose a framework where behavioural properties of 
finite-state systems modelled as graph transformation systems can be 
expressed and verified. The technique is based on the unfolding seman- 
tics and it generalises McMillan’s complete prefix approach, originally 
developed for Petri nets, to graph transformation systems. It allows to 
check properties of the graphs reachable in the system, expressed in a 
monadic second order logic. 



1 Introduction 

Graph transformation systems (GTSs) are recognised as an expressive specifica- 
tion formalism, properly generalising Petri nets and especially suited for concur- 
rent and distributed systems [9]: the (topo) logical distribution of a system can 
be naturally represented by using a graphical structure and the dynamics of the 
system, e.g., the reconfigurations of its topology, can be modelled by means of 
graph rewriting rules. 

The concurrent behaviour of GTSs has been thoroughly studied and a consoli- 
dated theory of concurrency for GTSs is available, including the generalisation of 
several semantics of Petri nets, like process and unfolding semantics (see, e.g., [6, 
20,3]). However, only recently, building on these semantical foundations, some 
efforts have been devoted to the development of frameworks where behavioural 
properties of GTSs can be expressed and verified (see [12, 15, 13, 21, 19, 1]). 

As witnessed, e.g., by the approaches in [17, 10] for Petri Nets, truly concur- 
rent semantics are potentially useful in the verification of finite-state systems, in 
that they help to avoid the combinatorial explosion arising when one explores all 
possible interleavings of events. Still, to the best of our knowledge, no technique 
based on partial order (process or unfolding) semantics has been proposed for 
the verification of finite-state GTSs. 
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In this paper we contribute to this topic by proposing a verification framework 
for finite-state graph transformation systems based on their unfolding semantics. 
Our technique is inspired by the approach originally developed by McMillan for 
Petri nets [17] and further developed by many authors (see, e.g., [10,11,23]). 
More precisely, our technique applies to any graph grammar, i.e. , any set of 
graph rewriting rules with a fixed start graph (the initial state of the system), 
which is finite-state in a liberal sense: the set of graphs which can be reached from 
the start graph, considered not only up to isomorphism, but also up to isolated 
nodes, is finite. Hence in a finite-state graph grammar in our sense there is not 
actually a bound to the number of nodes generated in a computation, but only 
to the nodes which are connected to some edge at each stage of the computation. 
Existing model-checking tools, such as SPIN [14], usually do not directly support 
the creation of an arbitrary number of objects while still maintaining a finite 
state space, making entirely non-trivial their use for checking finite-state GTSs 
(similar problems arise for process calculi agents with name creation). 

As a first step we face the problem of identifying a finite, still useful fragment 
of the unfolding of a GTS. In fact, the unfolding construction for GTSs produces 
a structure which fully describes the concurrent behaviour of the system, includ- 
ing all possible steps and their mutual dependencies, as well as all reachable 
states. However, the unfolding is infinite for non-trivial systems, and cannot be 
used directly for model-checking purposes. 

Following McMillan’s approach, we show that given any finite-state graph 
grammar Q a finite fragment of its unfolding which is complete, i.e., which pro- 
vides full information about the system as far as reachability (and other) prop- 
erties are concerned, can be characterised as the maximal prefix of the unfolding 
not including cut-off events. The greater expressiveness of GTSs, and specifically, 
the possibility of performing “contextual” rewritings (i.e., of preserving part of 
the state in a rewriting step), a feature which leads to multiple local histories 
for a single event (see, e.g., the work on contextual nets [18,22,4,23]), imposes 
a generalisation of the original notion of cut-off. 

Unfortunately the characterisation of the finite complete prefix is not con- 
structive. Hence, while leaving as an open problem the definition of a general 
algorithm for constructing such a prefix, we identify a significant subclass of 
graph grammars where an adaptation of the existing algorithms for Petri nets is 
feasible. These are called read-persistent graph grammars by analogy with the 
terminology used in the work on contextual nets [23]. 

In the second part we consider a logic £2 where graph properties of interest 
can be expressed, like the non-existence and non-adjacency of edges with specific 
labels, the absence of certain paths (related to security properties) or cycles 
(related to deadlock-freedom) . This is a monadic second-order logic over graphs 
where quantification is allowed over (sets of) edges. (Similar logics are considered 
in [8] and, in the field of verification, in [19,5].) Then we show how a complete 
finite prefix of a grammar Q can be used to verify properties, expressed in £2, of 
the graphs reachable in Q. This is done by exploiting both the graphical structure 
underlying the prefix and the concurrency information it provides. 
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The rest of the paper is organised as follows. Section 2 introduces graph 
transformation systems and their unfolding semantics. Section 3 studies finite 
complete prefixes for finite-state GTSs. Section 4 introduces a logic for GTSs, 
showing how it can be checked over a finite complete prefix. Finally, Section 5 
draws some conclusions and indicates directions of further research. A more 
detailed presentation of the material in this paper can be found in [2] . 



2 Unfolding Semantics of Graph Grammars 

This section presents the notion of graph rewriting used in the paper. Rewriting 
takes place on so-called typed graphs , namely graphs labelled over a structure 
that is itself a graph [6]. It can be seen as a set-theoretical presentation of an 
instance of algebraic (single- or double-pushout) rewriting (see, e.g., [7]). Next 
we review the notion of occurrence grammar, which is instrumental in defining 
the unfolding of a graph grammar [3,20]. 

2.1 Graph Transformation Systems 

In the following, given a set A we denote by A* the set of finite strings of elements 
of A. Given u £ A* we write \'u\ to indicate the length of u. If u = ao . . . a n and 
0 < i < n, by [w],- we denote the i-th element a,: of u. Furthermore, if / : A — > B 
is a function then we denote by /* : A* — > B* its extension to strings. 

A (hyper) graph G is a tuple ( Vg,Eq,cg ), where Vq is a set of nodes, Eg 
is a set of edges and cq '■ Eq —> Vc* is a connection function. A node v £ Vq 
is called isolated if it is not connected to any edge. Given two graphs G, G' , a 
graph morphism <j> : G — > G' is a pair {(f>v '■ Vq — > Vc, 4 >e '■ Eq — > Ea>) of total 
functions such that for all e £ Eg, <j>v*(cG(e)) = cc{4>E(e)). When obvious 
from the context, the subscripts V and E will be omitted. 

Definition 1 (Typed Graph). Given a graph (of types) T, a typed graph G 
over T is a graph |G|, together with a morphism type G '■ |G| — > T. A morphism 
between T-typed graphs f : G\ — > G 2 is a graph morphism f : |Gi| — ■> IG 2 1 
consistent with the typing, i.e., such that type Gl = type G2 0 /■ 

A typed graph G is called injective if the typing morphism type G is injective. 
More generally, given n £ N, the graph is called n-injective if for any item x in 
T, \type~f}(x)\ < n, namely if the number of “instances of resources” of any type 
x is bounded by n. Given two (typed) graphs G and G' we will write G ~ G' to 
mean that G and G' are isomorphic, and G ~ G' when G and G' are isomorphic 
up to isolated nodes, i.e., once their isolated nodes have been removed. 

In the sequel we extensively use the fact that given a graph G, any subgraph 
of G without isolated nodes is identified by the set of its edges. Precisely, given 
a subset of edges X C Eg, we denote by graph(X) the least subgraph of G 
(actually the unique subgraph, up to isolated nodes) having X as set of edges. 

We will use some set-theoretical operations on (typed) graphs with “compo- 
nentwise” meaning. Let G and G' be T-typed graphs. We say that G and G' 
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are consistent if GUG' defined as (V\ G i U V\q'\ , E\ G \ U E\ G i\, c g U cg>), typed by 
type G U type G ,, is a well-defined T-typed graph. In this case also the intersection 
G (1 G', constructed in a similar way, is well-defined. Given a graph G and a 
set (of edges) E we denote by G — E the graph obtained from G by removing 
the edges in E. Sometimes we will also refer to the items (nodes and edges) 
in G — G' , where G and G' are graphs, although the structure resulting as the 
componentwise set-difference of G and G' might not be a well-defined graph. 

Definition 2 (Production). Given a graph of types T, a T-typed production 
is a pair of finite consistent T-typed graphs q = ( L,R ), often written L — > R, 
such that 1) LU R and L do not include isolated nodes; 2) V\l\ C and 3) 
E\l\ — E\r\ and E\r\ — E\l\ are non-empty. 

A rule L — > R specifies that, once an occurrence of L is found in a graph G, 
then G can be rewritten by removing (the images in G of) the items in L — R 
and adding those in R — L. The (images in G of the) items in L n R instead are 
left unchanged: they are, in a sense, preserved or read by the rewriting step. 

This informal explanation should also motivate Conditions 1-3 above. Con- 
dition 1 essentially states that we are interested only in rewriting up to isolated 
nodes: by the requirement on LUR , no node is isolated when created and, by the 
requirement on L, nodes that become isolated have no influence on further reduc- 
tions. Thus one can safely assume that isolated nodes are removed by some kind 
of garbage collection. Consistently with this view, by Condition 2 productions 
cannot delete nodes (deletion can be simulated by leaving that node isolated). 
Condition 3 ensures that every production consumes and produces at least one 
edge: a requirement corresponding to T-restrictedness in Petri net theory. 

Definition 3 (Graph Rewriting). Let q = L — > R be a T-typed production. 
A match of q in a T-typed graph G is a morphism <f> : L — » G, satisfying the 
identification condition, i.e., for e,e' £ E\ L |, if <j>(e) = <t>(e') then e,e! £ EjRj- In 
this case G rewrites to the graph H, obtained as H = ((G— </>(P|£|— _E|ft|))l±l-R)/=, 
where = is the least equivalence on the items of the graph such that x = <j>{x). 
We write G H or simply G => g H . 

A rewriting step is schematically represented in Fig. 1. Intuitively, in the 
graph H’ = G- </>(E w - E lR{ ) the images of all the edges in L — R have been 
removed. Then in order to get the resulting graph, merge R to H' along the 
image through <f> of the preserved subgraph LA R. Formally the resulting graph 
H is obtained by first taking H' l±) R and then by identifying, via the equivalence 
=, the image through <j> of each item in L D R with the corresponding item in R. 

Definition 4 (Graph Transformation System and Graph Grammar). 

A graph transformation system (GTS) is a triple 1Z = (T, P, tt), where T is a 
graph of types, P is a set of production names and n is a function mapping 
each production name q £ P to a T-typed production ir(q) = L q — >■ R q . A graph 
grammar is a tuple Q = (T,G S ,P, n) where (T,P,ir) is a GTS and G s is a 
finite T-typed graph, without isolated nodes, called the start graph. We denote 
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Fig. 1 . A rewriting step, schematically 



by Elem{Q) the (disjoint) union Et W P, i.e., the set of edges in the graph of 
types and the production names. We call Q finite if the set Elem(Q) is finite. 

A T-typed graph G is reachable in Q if G s G' for some G' — G, where =>g 
is the transitive closure of the rewriting relation induced by productions in Q. 

We remark that Place/Transition Petri nets can be viewed as a special sub- 
class of typed graph grammars. Say that a graph G is edge-discrete if its set 
of nodes is empty (and thus edges have no connections). Given a P/T net P, 
let Tp be the edge-discrete graph having the set of places of P as edges. Then 
any finite edge-discrete graph typed over Tp can be seen as a marking of P: an 
edge typed over s represents a token in place s. Using this correspondence, a 
production L t — > R t faithfully represents a transition t of P if L t encodes the 
marking pre-setft . ), Rt encodes post-setft ), and L t nRt = 0 . The graph grammar 
corresponding to a Petri net is finite iff the original net has finitely many places 
and transitions. Observe that the generalisation from edge-discrete to proper 
graphs radically changes the expressive power of the formalism. For instance, 
unlike P/T Petri nets, the class of grammars in this paper is Turing complete. 

Example 1. Consider the graph grammar CP, modeling a system where three 
processes of type P are connected to a communication manager of type CM (see 
the start graph in Fig. 2, where edges are represented as rectangles and nodes 
as small circles). Two processes may establish a new connection with each other 
via the communication manager, becoming processes engaged in communication 
(typed PE, the only edge with more than one connection). This transformation 
is modelled by the production [engage] in Fig. 2: observe that a new node con- 
necting the two processes is created. The second production [release] terminates 
the communication between two partners. A typed graph G over Tg-p is drawn 
by labeling each edge or node x of G with type G (x)% Only when the same 
graphical item x belongs to both the left- and the right-hand side of a production 
we include its identity in the label (which becomes “x : type G (e)”): in this case 
we also shade the item, to stress that it is preserved by the production. 

The notion of safety for graph grammars [6] generalises the one for P/T nets 
which requires that each place contains at most one token in any reachable mark- 
ing. More generally, we extend to graph grammars the notion of n-boundedness. 
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Fig. 2. The finite-state graph grammar CP 

Definition 5 (Bounded/Safe Grammar). For a fixed n £ N, we say that a 
graph grammar Q is n-bounded if for all graphs H reachable in Q there is an 
n-injective graph H' such that H' ~H. A 1-bounded grammar will be called safe. 

The definition can be understood by thinking of edges of the graph of types 
T as a generalisation of places in Petri nets. In this view the number of different 
edges of a graph which are typed on the same item of T corresponds to the 
number of tokens contained in a place. Observe that for finite graph grammars, 
n-boundedness amounts to the property of being finite-state (up to isomorphism 
and up to isolated nodes). In the sequel when considering a finite-state graph 
grammar we will (often implicitly) assume that it is also finite. 

For instance, the graph grammar CV in Fig. 2 is clearly 3-bounded and thus 
finite-state (but only up to isolated nodes). 

2.2 Nondeterministic Occurrence Grammars 

When a graph grammar Q is safe, and thus reachable graphs are injectively typed, 
at every step, for any item t in the type graph every production can consume, 
preserve and produce a single item typed t. Hence we can safely think that a 
production, according to its typing, consumes , preserves and produces items of 
the graph of types. Using a net-like language, we speak of pre-set *< 7 , context 
q and post-set q * of a production q. Since we work with graphs considered up 
to isolated nodes, we will record in these sets only edges. Formally, for any 
production q of a graph grammar Q = (T, G s , P, ^ r), we define 

•q = type Lq (E\ Lq \ - E\ Rq \) q = type Lq (E lLqnRgl ) q* = type Rq {E\ Rq \ - E\ Lql ) 

Furthermore, for any edge e in T we define *e = {q £ P : e £ q'}, e = {q £ P : 
e £ q}, e* = {q £ P : e £ *q}. This notation is extended also to nodes in the 
obvious way, e.g., for v £Vr we define *v = {q £ P : v £ type Rq {V\ Rq \ — V\L q \ )}• 
An example of safe grammar can be found in Fig. 3 (for the moment ignore 
its relation to grammar CV in Fig. 2). For this grammar, ‘engagel = {2:P, 3:P}, 
engagel = {1:CM} and engagel* = {5:PP,6:PP}, while *1:CM = 0, 1:CM = 
{engagel, engage2, engage3} and 3 :P* = {engagel, engage3}. 
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Definition 6 (Causal Relation). The causal relation of a safe grammar Q 
is the least transitive relation < over Elem(Q) satisfying, for any edge e in the 
graph of types T, and for productions q , q' £ P: 

1. e £ *q => e < q; 2. e £ q* => q < e; 3. q* n qf_ ± 0 => q < q' . 

As usual < is the reflexive closure of <. Moreover, for x £ Elem(Q) we denote 
by \x\ the set of causes of x in P, namely [x\ = {q £ P : q < x}. 

Note that the fact that an item is preserved by q and consumed by q' , i.e., 
q PI V yt 0 does not imply q < q' . In this case, the dependency between the two 
productions is a kind of asymmetric conflict (see [4, 18, 16, 23]): The application 
of q' prevents q from being applied, so that q can never follow q' in a derivation 
(or, equivalently, if both q and q' occur in a derivation then q must precede q') . 

Definition 7 (Asymmetric Conflict). The asymmetric conflict y of a safe 
grammar Q is the relation over the set of productions P, defined by q /* q' if: 

1 . q l~l V ^ 0; 2. *q n V ^ 0 and q ± q' ; 3. q < q' . 

Condition 1 is justified by the discussion above. Condition 2 essentially ex- 
presses the fact that the ordinary symmetric conflict is encoded, in this setting, 
as an asymmetric conflict in both directions. More generally, we will write qffq' 
and say that q and q' are in conflict when the causes of q and q' , i.e., [?] U [<? , J , 
includes a cycle of asymmetric conflict. Finally, since < represents a global or- 
der of execution, while /" determines an order of execution only locally to each 
computation, it is natural to impose Z 1 to be an extension of < (Condition 3). 

Definition 8 ((Nondeterministic) Occurrence Grammar). A (nondeter- 
ministic) occurrence grammar is a safe grammar O = (T, G s , P , 7 r) such that 

1. < is a partial order; for any q £ P, is finite and /" is acyclic on \q\; 

2. G s is the graph graph(MinfO)) generated by the set Min(O) of minimal 
elements of (Elem(O) , <} , typed over T by the inclusion; 

3. any item x in T is created by at most one production in P, i.e., \ *x \< 1; 

f. for each q £ P, the typing type L<i is injective on the “ consumed ” items in 

\Lq | — |f? 9 |, and type Rq is injective on the “ produced ” items in |f? g | — \L q \. 

Since the start, graph of an occurrence grammar O is determined by Min(O), 
we often do not mention it explicitly. 

Intuitively, Conditions 1-3 recast in the framework of graph grammars the 
conditions of occurrence nets (actually of occurrence contextual nets [4,23]). In 
particular, in Condition 1, the acyclicity of asymmetric conflict on |_<?J corre- 
sponds to the requirement of irreflexivity for the conflict relation in occurrence 
nets. Condition 4, instead, is closely related to safety and requires that each 
production consumes and produces items with multiplicity one. An example of 
an occurrence grammar is given in Fig. 3. 
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2.3 Concurrent Subgraphs, Configurations and Histories 

The finite computations of an occurrence grammar are characterised by special 
subsets of productions closed under causal dependencies and with no conflicts 
(i.e., cycles of asymmetric conflict), suitably ordered. 

Definition 9 (Configuration). Let O = IT. P. n) be an occurrence grammar. 
A configuration of O is a finite subset of productions C C P such that / c ( the 
asymmetric conflict restricted to C) is acyclic, and for any q G C, (?) C C. 
Given two configurations C\, C 2 we write C\ C C 2 if C\ C C 2 and for any 
qi G Ci, q 2 G C 2 , if q 2 / qi then q 2 G C\. 

The set of all configurations of O, ordered by C, is denoted by Conf(O). 

Proposition 1 (Reachability of Graphs Generated by Configurations). 

Let O be an occurrence grammar, C G Conf(O) be a configuration and 

G (C) = graph((Min(0) U U 9S c <?*) - U qe c *«)• 

Then a graph G such that G(C) can be obtained from the start, graph of 
O, by applying all the productions in C in any order compatible with /'. 

Due to the presence of asymmetric conflicts, given a production q , the history 
of q, i.e., the set of events which must precede q in a computation is not uniquely 
determined by q, but it depends also on the particular computation: the history 
of q can or can not include the productions in asymmetric conflict with q. 

Definition 10 (History). Let O be an occurrence grammar, let C G Conf(0 ) 
be a configuration and let q G C. The history of q in C is the set of events 
C\q\ = { q' £ C : q' /'f, q}. We denote by Hist(q) the set of histories of q, i.e., 
Hist(q) = {CM : C G Conf(O)}. 

Reachable states can be characterised in terms of a concurrency relation. 

Definition 11 (Concurrent Graph). Let O = (T,P,tt) be an occurrence 
grammar. A finite subset of edges E C Et is called concurrent, written co(E), 

if 

1. y' e, the asymmetric conflict restricted to IJaeBL 2 -]? acyclic; 

2. ->{x < y) for all x,y G E. 

A subgraph G of T is called concurrent, written co(G), if co (Eg). 

It can be shown that the maximal concurrent subgraphs G of T correspond 
exactly (up to isolated nodes) to the graphs reachable from the start graph. 

2.4 Unfolding of Graph Grammars 

The unfolding construction, when applied to a grammar Q , produces a nondeter- 
ministic occurrence grammar U(Q) describing the behaviour of Q. A construction 
for the double-pushout algebraic approach to graph rewriting has been proposed 
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in [3]: the one sketched here is simpler because productions cannot delete nodes 
and thus the dangling edge condition does not play a role. 

The construction begins from the start graph of G, and then applies in all 
possible ways its productions to concurrent subgraphs, recording in the unfold- 
ing each occurrence of production and each new graph item generated in the 
rewriting process. 

Definition 12 (Unfolding - Sketch). Let Q = (T,G S , P,n) be a graph gram- 
mar. The unfolding U{G) = (T', G' s , P' , ir') is the “componentwise” union of the 
following inductively defined sequence of occurrence grammars U (G)^ ■ 

(n = 0) consists of the start graph |G S |, with no productions. 

(n — > n + 1) Take q € P and let m be a match of q in the graph of types of 
U(G)' in \ satisfying the identification condition, such that m(\L q \) is concurrent. 

Then the occurrence grammar U(Q)^ n+l ^ is obtained by “ recording ” inU(G 
the application of q at the match m. More precisely, a new production q' = (q, m) 
is added and the graph of types is extended by adding to it a copy of each 
item generated by the application q, without deleting any item. 

The unfolding is mapped over the original grammar by the so-called folding 
morphism \ = (xt, Xp) '■ U (G) — > G ■ The first component \t '■ T' — > T is a graph 
morphism mapping each graph item in the (graph of types of) the unfolding to 
the corresponding item in the (graph of types of) the original grammar G . The 
second component Xp '■ P' — > P maps any production occurrence (q, m) in the 
unfolding to the corresponding production q of Q . 

The occurrence grammar in Fig. 3 is an initial part of the (infinite) unfolding 
of the grammar CV in Fig. 2. For instance, production engagel is an occurrence 
of production engage in CV, applied at the match consisting of the edges 1 :CM, 
2 :P, 3 :P. Unfolding such a match, three new graph items, two edges 5 :PE, 6 .PE 
and a node, are added to the graph of types of the unfolding. Note that the graph 
of types of the (partial) unfolding (call it Tr) is typed over the graph of types 

Tcv of the original grammar (via the folding morphism \t '■ Tq > Tcv ). This 

explains why the edges of the graphs in the productions of the unfolding, which 
are typed over Tq-, are marked with names including two colons. 

The unfolding provides a compact representation of the behaviour of Q , and 
in particular it represents all the graphs reachable in Q , in the following sense. 

Theorem 1 (Completeness of the Unfolding). Let Q = (T,G S1 P,n) be a 
graph grammar. A T-typed graph G is reachable in G iff there exists a maximal 
concurrent subgraph X' of the graph of types ofU{G) such that G ~ (X' ,\t\x')- 



3 Finite Prefix for Graph Grammars 

Let G = (T, G S ,P, 7r) denote a graph grammar, fixed throughout the section, 
and let U(G) = {T',P',tt') be its unfolding with x ’■ M(G) — ^ G the folding 
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morphism, as in Definition 12. Given a configuration C of U{Q), recall from 
Proposition 1 that G(C) denotes the subgraph of T' reached after the execution 
of the productions in C (up to isolated nodes). We shall denote by Reach (C) 
the same graph, seen as a graph typed over T by the restriction of the folding 
morphism, i.e., ReachiC) = (G(C'), Xt|g(C))- 

To identify a finite prefix of the unfolding the idea consists of avoiding to keep 
in the unfolding useless productions, i.e., productions which do not contribute to 
generating new graphs. The definition of “cut-off event” introduced by McMillan 
for Petri nets in order to formalise such a notion has to be adapted to this context, 
since for graph grammars a production may have different histories. 

Definition 13 (Cut-Off). A production q € P' of the unfolding U{Q) is a cut- 
off if there exists q' € P' such that Reach(\q\) ~ Reach ([q 1 J) and < ||_9j|- 

A production q is a strong cut-off if for all C q £ Hist(q) there exist q' £ P' 
and C q ' £ Histfq') such that Reach(C q ) ~ Reach(C q ') and \C q >\ < \C q \. The 
truncation of Q is the greatest prefix T(Q) ofU(Q ) not including strong cut-offs. 

Theorem 2 (Completeness and Finiteness of the Truncation). The trun- 
cation T{Q) is a complete prefix of the unfolding, i.e., for any reachable graph 
G of Q there is a configuration C in Conf(T{Q)) such that Reach (C ) ~G. Fur- 
thermore, if Q is n-bounded then the truncation T{Q) is finite. 

Unfortunately, the proof of the above theorem does not suggest a way of 
constructing the truncation for finite-state graph grammars. The problem es- 
sentially resides in the fact that the notion of strong cut-off refers to the set of 
histories of a production, which is, in general, infinite. While leaving the solution 
for the general case as an open problem, we next discuss how a finite complete 
prefix can be derived for a class of grammars for which this problem disappears. 
This still interesting class of graph grammars is characterised by a property that 
we call “read-persistence”, since it appears as the graph grammar theoretical 
version of read-persistence as defined for contextual nets [23] . 

Definition 14 (Read- Persistence). An occurrence grammar O = (T, P. tt) is 
called read-persistent if for any qi,q 2 £ P, if qi ff 92 then qi < 92 or 9 i# 92 - A 
graph grammar Q is called read-persistent if its unfolding U (Q) is read-persistent. 

It can be shown that an adaptation of the algorithm originally proposed 
in [17] for ordinary nets and extended in [23] to read-persistent contextual nets, 
works for read-persistent graph grammars. In particular, the notion of strong 
cut-off can be safely replaced by the weaker notion of (ordinary) cut-off. An 
obvious class of read-persistent graph grammars consists of all the grammars Q 
where any edge preserved by productions is never consumed. 

For instance, the grammar CV in our running example is read-persistent, 
since the communication manager CM , the only edge preserved by productions, 
is never consumed. Its truncation is the graph grammar T ( CV ) depicted in Fig. 3. 
Denote by Tr its type graph. Note that applying the production [release] to any 
subgraph of Tr matching its left-hand side would result in a cut-off: this is the 
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reason why T(CV) does not include any instance of production [release]. The 
start graph of the truncation is isomorphic to the start graph of grammar CV 
and it is mapped injectively to the graph of types Tq- in the obvious way. 




Fig. 3. The truncation T(CV) of the graph grammar in Fig. 2 

In general, the truncation of a grammar such as CV where n processes are 
connected to CM in the start graph, will contain n< ' n . 2 1 - ) productions. Consid- 
ering instead all possible interleavings, we would end up with an exponential 
number of productions. 



4 Exploiting the Prefix 

In this section we propose a monadic second-order logic C2 where some graph 
properties of interest can be expressed. Then we show how the validity of a 
property in C2 over all the reachable graphs of a finite-state grammar Q can be 
verified by exploiting a complete finite prefix. 



4.1 A Logic on Graphs 

We first introduce the monadic second order logic C2 for specifying graph prop- 
erties. Quantification is allowed over edges, but not over nodes (as, e.g., in [8]). 

Definition 15 (Graph Formulae). Let A) = {x,y,...} be a set of (first- 
order) edge variables and let X- 2 = { X , Y, . . .} be a set of (second- order) variables 
representing edge sets. The set of graph formulae of the logic C2 is defined as 
follows, where £ £ A, i,j £ N: 

F ::= x = y \ cfix) = Cj(y) \ type(x) = £ \ x£X (Predicates) 

FVF | ~^F | 3a;. F |3 X.F (Connectives / Quantifiers) 
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pl:CM 

2 :P 4:P 




5 :PE 6:PE 7 :PE 8 :PE 9:PE 10 :PE 



Fig. 4. The Petri net underlying the truncation T(CV) in Fig. 3 

We denote by free(F) and Free(F) the sets of first-order and second-order 
variables, respectively, occurring free in F, defined in the obvious way. 

Given a T-typed graph G , a formula F in C2, and two valuations cr : free(F) — » 
E\ G \ and S : Free(F) — > V(E\ G \) for the free first- and second-order variables 
of F, respectively, the satisfaction relation G \= a ,s F is defined inductively, in 
the usual way; for instance G \= a ,s x = y iff cr(x) = a(y) and G \= a ,s x £ X iff 
a(x) € E(X). 

A simple, but fundamental observation is that, while for n-bounded graph 
grammars the graphical nature of the state plays a basic role, for any occurrence 
grammar O we can can forget about it and view O as an occurrence contextual 
net (i.e., a Petri net with read arcs, see, e.g., [4,23]). 

Definition 16 (Petri Net Underlying a Graph Grammar). The contex- 
tual Petri net underlying an occurrence grammar O = (T 1 , P' denoted by 

Net(O), is the Petri net having the set of edges Et> as places and a transition 
for every production q £ P' , with pre-set *q, post-set q* and context q. 

For instance, the Petri net Ne^T^P)) underlying the truncation of CV (see 
Fig. 3) is depicted in Fig. 4. Read arcs are represented as dotted undirected lines. 

Let Q = (T, G S ,P, 7r) be a fixed finite-state graph grammar and consider the 
truncation T{Q) = (T',P',tt') (actually, all the results hold for any complete 
finite prefix of the unfolding). Notice that, by completeness of T(Q), any graph 
reachable in Q is (up to isolated nodes) a subgraph of the graph of types T' of 
T(G), typed over T by the restriction of the folding morphism \ '■ M{G) G- 
Also observe that a safe marking to of Net(T(t/)) can be seen as a graph typed 
over the type graph T of the original grammar Q : take the least subgraph of T' 
having m as set of edges, i.e., graph(m), and type it over T by the restriction of 
the folding morphism. With a slight abuse of notation this typed graph will be 
denoted simply as graphfm). 

We show how any formula <f> in C2 can be translated to a formula M(<f>) 
over the safe markings of Net(T(t/)) such that, for any marking m reachable in 
Net(T(£)) 



graph(in) \= <j> iff to |= M(<f)). 
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The syntax of the formulae over markings is 

(j> e | -><j> \ (/)A(f>\(j)\/(j)\(j)—^(j), 

where the basic formulae e are place (edge) names, meaning that the place is 
marked, i.e., in |= e if e G m. Logical connectives are treated as usual. 

Definition 17 (Encoding Graph into Multiset Formulae). Let T(Q) be 
the truncation of a graph grammar Q, as above. Let F be graph formula in £2, 
let <7 : free(F) — > Et> and E : Free(F) — > V(Et>). The encoding M is defined as: 

M[x = y,a,E\ = true if cr(x) = cr(y) and false otherwise 

( true if\c T '(a(x))\ > i A \c T '(a(y))\ >j 
M[a(x) = Cj(y),a,E] = l A [c T -(c r(a;))] i = [cr'(<r(y))]j 

[ false otherwise 

M[type(x) = £,a,E] = true if Xt(f(x)) = l and false otherwise 
M[x G X, a, E] = true if cr(x) G E(X) and false otherwise 
M[Fi V F 2 , a, E] = M[F u a , E\ V M[F 2 , a, E] 

M[->F, a, E] = -<M[F, a, E] 

M[3x.F, a , E\ = V e6 E T , ( e A M[F, a U {x i— > e}, If]) 

M[3X.F, a, E] = V ece t , , co{E) (A E A M[F, a,EU{X~ E}}) 

where, for E = {ei, . . . , e n }, the symbol /\ E stands for e\ A . . . A e n . If F is 
closed formula (i.e., without free variables), we define M[F] = M[F, 0 , 0 ]. 

Note that, since every reachable graph in Q is isomorphic to a subgraph of 
V , typed by the restriction of \t, the encoding resolves the basic predicates 
by exploiting the structural information of T' . When a first-order variable x in 
a formula is mapped to an edge e, we take care that the edge is marked, and, 
similarly, when a second-order variable X in a formula is mapped to a set of 
edges E, such a set must be covered. Observe that in this case E is limited to 
range only over concurrent subsets of edges. In fact, if E is a non-concurrent set, 
then no reachable marking m will include E, i.e., m [L /\ E. 

It is possible to show that the above encoding is correct, i.e., for any formula 
<j) G £2, for any pair of valuations a : X\ — » Et> and E : X 2 — > V(Et’), and for 
any safe marking m over Et> , we have graph(m ) \=a,s iff m |= M\<p, a , E]. 

4.2 Checking Properties of Reachable Graphs 

Let Q = (G S ,T, P,n) be a finite-state graph grammar. We next show how a 
complete finite prefix of Q can be used to check whether, given a formula F G £2, 
there exists some reachable graph which satisfies F. In this case we will write 
Q |= 0 F. The same algorithm allows to check “invariants” of a graph grammars, 
i.e., to verify whether a property F G £2 is satisfied by all graphs reachable in 
Q, written Q \= HUE. In fact, it trivially holds that Q |= OF iff Q 0 —>F. 

Let T(Q) = (T’,P' , tt') be the truncation of Q (or any complete prefix of the 
unfolding) and let Net(T(t/)) be the underlying Petri net. The formula produced 
by the encoding in Definition 17 can be simplified by exploiting the mutual 
relationships between items as expressed by the causality, (asymmetric) conflict 
and concurrency relation. 
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Proposition 2 (Simplification). Let F be any formula in C 2 , let a : free(F) — > 
Et 1 and £ : Free(F) — * V(Et') be valuations. If m is a marking reachable in 
Net(T(C/)) and 77 is a marking formula obtained by simplifying M[F,a,£] with 
the Simplification Rule below: 

If S C Et> and -<co(S) then replace the subformula /\S by false. 
then graph(m) \= a .s F iff m\= 77. 

Algorithm. The question “Q |= OF?” is answered by working over Net(T(C?)): 

— Consider the formula over markings M[F] (see Definition 17); 

— Express M[F] in disjunctive normal form as below, where a,;j can be e or 
—>e for e £ Et>'- 

n ki 

V = V A a bi 

*=lj=l 

— Apply the Simplification Rule in Proposition 2, as far as possible, thus ob- 
taining a formula rf: 

— For any conjunct in 77' of the kind ei A . . . A A A ... A ->ej: 

• Take the configuration C = [{ei , . . . , eh}\- 

• Consider the safe marking reached after C, i.e., me = (m 0 U U(ec ^*) — 
U te( 7 *f, where tuo is the initial marking of Net(T(t/)) (consisting of 
all minimal places). Surely me includes {ei, . . . , e/,}. Hence, the only 
reason why the conjunct may not be true is that me includes some of 
the {e \ , . . . , ej}. In this case look for a configuration C 3 C, which 
enriches C with transitions which consume the e) but not the ej. 

— The formula 0 F holds iff this check succeeds for at least one conjunct. 

For instance, suppose that we want to check that our sample graph grammar 
CP satisfies DF, where F is a £2 formula specifying that every engaged process 
is connected through connection C2 to exactly one other engaged process, i.e., 

F = \/x.(type(x) = PE => 377 .( 3 ; yf y A t.ypefy) = PE A C2(x) = 02 ( 77 ) 

A Vz.(type(z) = PE A x yf z A C2(x) = 02(2) => 77 = 2))). 

The encoding f> = M[F] simplifies to 

<j) = (5: PE 4= =4- 6: PE) A (7: PE 8: FF) A (9: PE 10: FF) 

and we have to check that the truncation does not satisfy 

0-,^ = <>[(5: FF A ^6: FF) V (-5: FF A 6: FF) V (7: FF A ^8: FF) 

V (->7: FF A 8: FF) V (9: FF A -.10: FF) V (-.9: FF A 10: FF)], 

which can be done by using the described verification procedure. 
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5 Conclusions 

We have discussed how the finite prefix approach, originally introduced by 
McMillan for Petri nets, can be generalised to graph transformation systems. 
A complete finite prefix can be constructed for some classes of graph grammars, 
but the problem of constructing it for general, possibly non-read-persistent gram- 
mars remains open and represents an interesting direction of further research. 
Also, it would be interesting to try to determine an upper bound on the size of 
the prefix, with respect to the number of reachable graphs. 

We have shown how the complete finite prefix can be used to model-check 
some properties of interest for graph transformation systems. We plan to gen- 
eralise the verification technique proposed here to allow the model-checking of 
more expressive logics, like the one studied in [10] for Petri nets, where temporal 
modalities can be arbitrarily nested. We intend to implement the model-checking 
procedure described in the paper and, as in the case of Petri nets, we expect 
that its efficiency could be improved by refined cut-off conditions (see, e.g., [11]) 
which help to decrease the size of the prefix. 

As mentioned in the introduction, some efforts have been devoted recently to 
the development of suitable verification techniques for GTSs. A general theory 
of verification is presented in [12, 13], but without providing directly applicable 
techniques. In [15, 1,5] one can find techniques which are applicable to infinite- 
state systems: the first defines a general framework based on types for graph 
rewriting, while the second is based on the construction of suitable approxi- 
mations of the behaviour of a GTS. Instead, the papers [21, 19] concentrate on 
finite-state GTSs. They both generate a suitable labelled transition system out 
of a given finite-state GTS and then [21] resorts to model-checkers like SPIN, 
while [19] discusses the decidability of the model-checking problem for a logic, 
based on regular path expressions, allowing to talk about the history of nodes 
along computations. The main difference with respect to our work is that they 
do not exploit a partial order semantics, with an explicit representation of con- 
currency, and thus considering the possible interleavings of concurrent events 
these techniques may suffer of the state-explosion problem. 

Acknowledgements. We would like to thank the anonymous referees for their 
helpful comments. We are also grateful to Javier Esparza for interesting and 
helpful discussions on the topic of this paper. 
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Abstract. Netcharts have been introduced recently by Mukund et al. 
in [17]. This new appealing approach to the specification of collections of 
message sequence charts (MSCs) benefits from a graphical description, 
a formal semantics based on Petri nets, and an appropriate expressive 
power. As opposed to high-level MSCs, any regular MSC language is the 
language of some netchart. Motivated by two open problems raised in 
[17], we establish in this paper that the questions 

(i) whether a given high-level MSC describes some netchart language 

(ii) whether a given netchart is equivalent to some high-level MSC 

(iii) whether a given netchart describes a regular MSC language 

are undecidable. These facts are closely related to our first positive result: 
We prove that netchart languages are exactly the MSC languages that are 
implementable by message passing automata up to refinement of message 
contents. Next we focus on FIFO netcharts: The latter are defined as the 
netcharts whose executions correspond to all firing sequences of their 
low-level Petri net. We show that the questions 

(i) whether a netchart is a FIFO netchart 

(ii) whether a FIFO netchart describes a regular MSC language 

(iii) whether a regular netchart is equivalent to some high-level MSC 
are decidable. 



Introduction 

Message Sequence Charts (MSCs) are a popular model often used for the docu- 
mentation of telecommunication protocols. They profit by a standardized visual 
and textual presentation (ITU-T recommendation Z.120 [11]) and are related to 
other formalisms such as sequence diagrams of UML. An MSC gives a graphical 
description of communications between processes. It usually abstracts away from 
the values of variables and the actual contents of messages. However, this formal- 
ism can be used at a very early stage of design to detect errors in the specification 
[10]. In this direction, several studies have already brought up methods and com- 
plexity results for the model-checking and implementation of MSCs viewed as a 
specification language [1, 2, 3, 5, 8, 14, 16, 18, 19]. 

Collections of MSCs are often specified by means of high-level MSCs (HM- 
SCs). The latter can be seen as directed graphs labelled by component MSCs. 
However such specifications may be unrealistic because this formalism allows 
for the description of sets of MSCs that correspond to no communicating sys- 
tem. Furthermore in most cases it is undecidable whether a HMSC describes 
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an implementable language [1,14,8]. In [17], Mukund et al. introduced a new 
formalism for specifying collections of MSCs: Net-charts can be seen as HMSCs 
with some distributed control whereas HMSCs require implicitly some global 
control over processes in the system. Basically a netchart is a Petri net whose 
places are labelled by processes and whose transitions are labelled by MSCs. 
This new approach benefits from a graphical description, a formal semantics, 
and an appropriate expressive power: As opposed to HMSCs, all netcharts de- 
scribe implementable languages. Our first result completes this relationship and 
shows that netcharts describe precisely all implementable languages (Th. 3.7). 
This key result allows us to answer negatively to some questions left open in [17]. 

First we present several comparisons between netcharts and HMSCs. We show 
that it is undecidable whether a HMSC describes a netchart language (Th. 4.7). 
Conversely, we show also that it is undecidable whether a netchart language can 
be described by some HMSC (Cor. 4.4). Yet as explained below, we can effectively 
check whether a regidar netchart is equivalent to some HMSC. These two results 
follow from the observation that a netchart language corresponds to some HMSC 
if and only if it describes a finitely generated set of MSCs (Th. 4.3). 

In the literature regular MSC languages have attracted a lot of interest. 
These languages appeared in [2, 18] as a framework where many model-checking 
problems become decidable. They were investigated later thoroughly and char- 
acterized in a logical way in [8,9]. In particular [8, Th. 4.1] shows how to decide 
whether a regular set of MSCs is finitely generated. Noteworthy, similarly to 
high-level compositional MSCs [7], any regular MSC language is the language of 
some netchart [17]. Answering a second open question from [17], another nega- 
tive consequence of our first result is that regularity is undecidable for netchart 
languages (Cor. 3.8). This is admittedly a major drawback of netcharts. 

Motivated by some restrictions considered at some point in [17], we prove in 
Theorem 5.3 that regularity is decidable for the subclass of FIFO netcharts. The 
latter are defined as those netcharts whose FIFO behaviors correspond exactly to 
the firing sequences of the underlying low-level Petri net. Theorem 5.3 relies on 
a difficult and unrecognized result by Lambert [12, Th. 5.2] together with the re- 
mark that a netchart language is regular if and only if it requires bounded channel 
capacities. Additionally we show that we can check effectively whether a netchart. 
is FIFO (Th. 5.2) by reduction to the reachability problem in Petri nets [15]. 

This paper investigates two semantics of netcharts. The FIFO semantics 
adopted in [17] appears as a restriction of a more general semantics that allows 
non-FIFO behaviors. In most cases, results extend from the FIFO semantics 
to the non-FIFO one. However we exhibit a netchart that is not implementable 
under the non-FIFO semantics. To simplify the presentation of our results the 
non-FIFO semantics is investigated separately in the last section. 



1 Background 

Message sequence charts (MSCs) are defined by several recommendations that 
indicate how one should represent them graphically [11]. Examples of MSCs are 
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Fig. 1 . FIFO MSC 



Fig. 2. Non-FIFO MSC Fig. 3. Degenerate behavior 



given in Figures 1 and 2 in which time flows top-down. In this paper we regard 
MSCs as particular labelled partial orders (or pomsets) following a traditional 
trend of modeling concurrent executions [6,13,20]. This approach allows for 
applying classical results of Mazurkiewicz trace theory to the framework of MSCs 
[18,8,9,16,3], 

A pomset over an alphabet A is a triple t = ( E , £) where (If, =^) is a finite 

partial order and £ is a mapping from if to A. A pomset can be seen as an 
abstraction of an execution of a concurrent system. In this view, the elements e 
of E are events and their label £(e) describes the basic action of the system that 
is performed by the event e £ if. Furthermore, the order =<; describes the causal 
dependence between the events. 

An order extension of a pomset t = (if, =4,£) is a pomset t' — (E,=4',£) 
such that =^C=^'. A linear extension of t is an order extension that is linearly 
ordered. It corresponds to a sequential view of the concurrent execution t. Linear 
extensions of a pomset t over E can naturally be regarded as words over E. By 
LE(f) C E *, we denote the set of linear extensions of a pomset t over E. 



1.1 FIFO and Non-FIFO Basic Message Sequence Charts 

We present here a formal definition of MSCs. The latter appear as particular 
pomsets over some alphabet Ej that we introduce first. Let I be a finite set 
of processes (also called instances ) and A be a finite set of messages. For any 
instance i £ X, the alphabet Ef = E{\ U E^- is the disjoint union of the set 
of send actions E^ = {i\ x j j j £ X\ {?'},x £ A} and the set of receive actions 
E^ j = {i7 x j | j £ X\ {*}, x £ A}. The alphabets Ef are disjoint and we put 
= (J ;(=T Ef. Given an action a £ E%, we denote by Ins(a) the unique instance 
i such that a £ Ef, that is the particular instance on which each occurrence of 
action a takes place. 

For any pomset (If, =<;, £) over Ej we denote by Ins(e) the instance on which 
the event e occurs: Ins(e) = Ins(£(e)). We say that / covers e and we write 
e — <f if e < f and e g =4 f implies g = f. We say that two events e and / 
are two matching events and we write e / if e is the n-th send event i\ x j and 
/ is the n-th receive event j'! x i: In other words, we put e ~> / if there are two 
instances i and j and some message x £ A such that £(e) = i\ x j, £(/) = j? x i 
and Cardje' £ E \ £(e') = i\ x j he' =4 ej = Card {/' £ E | £(/') = j? x iAf -- 4 /}. 
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Definition 1.1. A basic message sequence chart (MSC) over the set of messages 
A is a pomset M = (E, =^, £) over such that 
Mi: Ve, / G E: Ins(e) = Ins(/) =t- (e / V / e) 

M 2 : Ve G E, 3f G E, e ^ f V / e 

M 3 : e / =t> e / 

M 4 : [e — <f A Ins(e) ± Ins(/)] => f. 

By Mi, events occurring on the same instance are linearly ordered: In particu- 
lar non-deterministic choice cannot be described within a basic MSC. Condition 
M 2 makes sure that each receive event matches some send event and conversely. 
Thus there is no duplication of messages within the channels and M 2 formalizes 
partly the reliability of the channels. Following the recommendation Z.120, we 
allow overtaking (Fig. 2) but forbid any reversal of the order in which two iden- 
tical messages m sent from i to j are received by j (Fig. 3). Now M 3 formalizes 
simply that the receipt of any message will occur after the corresponding send 
event. Finally, by M 4 , causality in M consists only in the linear dependency on 
each instance and the ordering of pairs of matching events. The set of all basic 
MSCs is denoted by bMSC. Note here that if two basic MSCs share some linear 
extension then they are equal. We denote by Ins(M) the set of active instances 
of an MSC M: Ins(M) = {i Gl | 3e G P,Ins(e) = i}. 

In Figure 2, the basic MSC exhibits some overt-aking of message y above 
two messages x. A basic MSC satisfies the FIFO requirement if it shows no 
overtaking, that is, the messages from one instance to another are delivered 
in the order they are sent (Fig. 1). Non-FIFO basic MSCs allow for specifying 
scenarios that use several channels (or message types) between pairs of processes 
(Fig. 2). A more critical situation is illustrated by Figure 3. In this drawing, one 
message overtakes another one with the same content: In this paper, differently 
from [4] we forbid this kind of behaviors. 



1.2 Petri Nets 

Let us now recall the definition of a Petri net and some usual notations. A Petri 
net is a triple T = (P, T, F) where P is a set of places, T is a set of transitions 
such that POT = 0, and F C (PxT)U(TxP) is a flow relation. We shall use the 
following usual notations. For all x G PUT, we put *x = {y G PUT | (y, x) G P} 
and x* = {y G P U T \ {x, y) G F}. Clearly, for all transitions t, *t and t* are 
sets of places, and conversely for all places p G P, *p and p * are both sets of 
transitions. A marking m of f is a multiset of places m G P N . A transition t. is 
enabled at m G P N if m(p) ^ 1 for all p G *t. In this case, we write m [ t ) m' where 
the marking m' is defined by m '(p) = m(p) — 1 if p G *t \ t* , m '{p) = m(p) + 1 if 
p G t* \ *t, and m'(p) = m (p) otherwise. 

In this paper, we consider Petri nets provided with an initial marking m; n and 
a finite set of final markings An execution sequence is a word u = t\...t n G T* 
such that there are markings mo,..., m„ satisfying mo = m; n , m„ G S and 
mfc_i [ ffc ) mfc for all integers k G [1 ,n}. The language LflP) consists of all ex- 
ecution sequences of IP. 
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Fig. 4. A netchart 3sf and a corresponding MSC 

1.3 Netcharts 

A netchart is basically a Petri net whose places are labelled by instances and 
whose transitions are labelled by FIFO basic MSCs. Similarly to Petri nets, 
netcharts admit an intuitive visual representation: Examples of netcharts are 
given in Fig. 4, 7, and 9. 

Definition 1.2. A netchart over A consists of a Petri net (P, T, F, mi„, S') and 
two mappings Ins : P — > X and A4 : T — > bMSC such that Ins associates some 
instance Ins(p) to each place p and A4 associates a FIFO basic MSC A 4(t) over 
the set of messages A to each transition t £T. Three conditions are required for 
such a structure to be a netchart: 

Ni; For each instance i £ I, the places located on instance i contain exactly one 
token in the initial marking, i.e. ]Cins(p)=* m m(p) = 1- 
N2.' For each transition t and each active instance i £ Ins(A4(t)), there is exactly 
one place p £ *f such that Ins(p) = i and there is exactly one place p £ t* 
such that Ins(p) = i. 

N3: For each transition t and each place p £ *tUt*, the instance associated to 
p is active in M{t): Ins(p) £ Ins(A4(t)). 

Observe here that the last requirement N3 implies that *t U t* is empty as 
soon as A4(t) is the empty MSC. However Axiom N 3 plays actually no role in 
the semantics of netcharts and it could be removed for simplification’s sake. 

2 Semantics of Netcharts 

In this section we fix a netchart N = ((P, T, F, tUi n , S'), Ins, M) over the set of 
messages A and define formally its behaviors. The semantics of N consists of 
basic MSCs over A (Fig. 4). The latter are derived from the basic MSCs that 
represent the execution sequences of some low-level Petri net 3N (Fig. 4 and 6). 
Actually, the execution sequences of 3V use a refined set of messages A° and 
MSCs of N are obtained by projection of messages from A° onto A. 
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2.1 From MSCs to Petri Nets 

The construction of the low-level Petri net JV starts with the translation of 
each transition t £ T with component MSC A 4(t) = (P, =^,£) into some Petri 
net Tt = ( P t ,T t ,F t ). This natural operation is depicted in Fig. 5. 

This construction need to regard each component MSC M = (P, =^,£) as a 
dag (direct acyclic graph) denoted by ( E , -<•,£). For any instance iglwe let =4i 
be the restriction of to events located on instance i. Then e — <if if e occurs 
immediately before / on instance i. Then the binary relation -<• consists of pairs 
of matching events together with pairs of covering events w.r.t. =<T 

Definition 2.1. The MSC dag of a basic MSC M = (P, ^=I,£) is a labelled di- 
rected acyclic graph (P, -<;•,£) such that e~^f if e f ore — <if for some 
instance i £ X. 

Clearly we can recover the basic MSC from its MSC dag. The reason for this 
is that — < C -<■ hence ^ is simply the reflexive and transitive closure of -A That 
is why we will identify a basic MSC with its corresponding MSC dag. 

We can now formalize how each component MSC A 4(t) = (P, -<;,£) is trans- 
lated into some Petri net Tt = (P t , T t , F t ). First, the places Pt are identified with 
pairs from -A Second the transitions T t are identified with some send or receive 
actions over a new set of messages from A x T x P t . Formally, we put P t = -<■ 
and T t = { | ( 6; /) g A £(e) = i\ m j A {(f) = j? m i}. 

Note that the translation from the basic MSC A 4(f) into the Petri net Tt is 
one-to-one: We will be able to recover the basic MSC A iff) from the Petri net 
Tt. For this, we let p be the mapping from T t to E such that p(i! m ’M e -/) j) = e 
and p(j? m,t ’( e ’Pi) = /. To complete the definition of Tt we choose a flow relation 
F t in accordance with the causality relation -<• of A4 ( t ) : We put 

Ft = {(r,(e,/)) <£ T t x P t | p(r) = e} U {((e, /), r) G P t x T t \ p(r) = /}. 

The transitions of the Petri net Tt = (Pt,T t ,P t ) will be connected to places of 
N by means of the following connection relation: 

Ft — {(p, r ) £ P x T t | p G *t A *r = 0 A Ins(p(r)) = Ins(p)} 

U {(r,p) GT t xP|pGt*Ar* = 0A Ins(p(r)) = Ins(p)}. 

2.2 Low-Level Petri Net 

Now, in order to build the low-level Petri net T^ of the netchart N, we replace 
each transition t £ T of N by its corresponding Petri net T t as shown in Fig. 6. 





Fig. 5. From transition t\ to Petri net Tt! 
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Fig. 6. The low-level Petri net 3V associated to the netchart 3\f of Fig. 4 



The low-level Petri net flV = (Pjj, Tjj, Fjj, mi n , SV) is built as follows. First, 
the set of places Pys collects the places of N and the places of all I t : Pyj = 
U#gt Pt^P- Second, the set of transitions collects all transitions of all I t : Tjj = 
U#gt Pt- Now the flow relation consists of the flow relation F t of each I t together 
with the connection relations Fj.: Fyj = UteT Pt U FJ.. The initial marking of I is 
the one of N: The new places p € Pjj \ P are initially empty. Similarly a marking 
m of IV is final if the restriction of m to the places of V is a final marking of [NT 
and if all other places are empty: 3V = {m £ P N | tri|p £ $ A m|p N \p = 0}. 

Any execution sequence u £ L(5V) of the low-level Petri net leads from the 
initial marking to some final marking for which all places from P t are empty. 
Moreover u is actually a linear extension of a unique basic MSC. 

Definition 2.2. The MSC language Pfif 0 (Iw) consists of the FIFO basic MSCs 
M such that at least one linear extension of M is an execution sequence o/JV- 

Interestingly, similarly to a property observed with message passing automata 
(Def. 3.2 below), it can be easily shown that a basic MSC M belongs to Pmo(In) 
if and only if all linear extensions of M are execution sequences of 3V. Note- 
worthy it can happen that an execution sequence of the low-level Petri net flV 
corresponds to a non-FIFO MSC (see e.g. [17, Fig. 5] or Fig. 7). Following 
[17], we focus on FIFO behaviors and neglect this kind of execution sequences 
here. We will investigate a non-FIFO semantics of netcharts in the last section 
only. 

2.3 Set of MSCs Associated to Some Netchart 

Recall now that MSCs from £fif 0 (JV) use a refined set of messages A° that 
consists of triples (m. t , a) where m £ A, t £ T, and a £ P t . We let n° : A° — > A 
denote the labelling that associates the message m £ A to each triple (m, t, a) £ 
A° . This labelling extends to a function that maps actions of Ej onto actions of 
Ej in a natural way. Furthermore this mapping extends in the obvious way from 
the FIFO basic MSCs over A° to the FIFO basic MSCs over A. The semantics 
of the netchart N is defined from the semantics of its low-level Petri net JV by 
means of the labelling 7 r°. 
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Fig. 7. Netchart 3sfi and some non-FIFO behaviour N qL £fif 0 (N) 

Definition 2.3. The MSC language £fifo(N) is the set of FIFO basic MSCs 
obtained from an MSC of its low-level Petri net by the labelling 7 r°; £gf 0 (3\f) = 

We stress here that n° maps FIFO basic MSCs onto FIFO basic MSCs. The 
situation with non-FIFO basic MSCs may be more complicated as we will see in 
the last section. 

3 Netcharts vs. Implementable Languages 

In this section, we study how netcharts relate to communicating systems. We 
consider the set of channels 1C that consists of all triples (i,j, x) £ T x X x A: A 
channel state is then formalized by a map y '■ — * > N that describes the queues of 

messages within the channels at some stage of an execution. The empty channel 
state xo is such that each channel maps to 0. 

Definition 3.1. A message passing automaton (MPA) § over A consists of a 
family of local components {Ai) i&x and a subset of global final states F such that 
each component Ai is a transition system (Qi,ii, — >i) over Ef where Qi is a 
finite set of i-local states, with initial state ii £ Qi, — qC (Q, x Ef x Qi) is 
the i-local transition relation and F C (II i£lQi) x {.Xo}- 

3.1 Semantics of MPA 

A global state is a pair (s, y) where s £ J } Qi is a tuple of local states and y is 
a channel state. The initial global state is the pair i — (s, y) such that s = 
and y = y 0 is the empty channel state. The system of global states associated 
to § is the transition system As = (Q, *, — >) over Ej where Q = ri i6 z Q> x ^ 
is the set of global states and the global transition relation — >C Q x Ej x Q 
satisfies: 

- for all (i,j,m) £ 1C, (g fe ) feeI , y ^ (q' k ) keX ,x' if 

1. qi q'i and q' k = q k for all k £ T \ {*}, 

2- y = y(i, j,m) + 1 and y(x) = y'(a;) for all x £ 1C \ {( i,j,m )}; 

- for all (i, j, m) £ 1C, (q k ) keI , X ^ Wk)kzi > x' if 

1. q-j — ql and q' k = q k for all k £ T \ {j}, 

2- y (i,j,m) = 1 + yf (i,j, m) and y(x) = y'(a;) for all x £ 1C \ {( i,j,m )}. 
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As usual with transition systems, for any u = a\...a n € , we write q — —> q' 

if there are some global states qo, ■■■, q n £ Q such that qo = </, q n — q' and for all 
r € [l,n], q r - 1 — A q r . An execution sequence of § is a word u € F A X such that 
i —> q for some global final state q G F. 

Consider now an MPA § with components and global final states F. 

Any execution sequence u € S x is a linear extension of a (unique) basic MSC. 

Definition 3.2. The language £fif 0 (S) consists of the FIFO basic MSCs M such 
that at least one linear extension of M is an execution sequence of S. 

Noteworthy, it can be easily shown that a basic MSC M belongs to £fif 0 (S) iff 
all linear extensions of M are execution sequences of 8. We say that a language 
C C bMSC is realizable if there exists some MPA 8 such that C = £fifo(S)- 

Example 3.3. Consider the netchart Ni depicted in Figure 7 for which the 
initial marking is the single final marking. Its language £fifo(Ni) is the set of all 
basic MSCs that consist only of messages a and b exchanged from i to j in a 
FIFO manner. Clearly, the language £fif 0 (N 1 ) is realizable. 

3.2 Implementation of MSC Languages 

As observed in [1], there are finite sets of FIFO basic MSCs that are not realiz- 
able. For this reason, it is natural to relax the notion of realization. In [9], Hen- 
riksen et al. suggested to allow some refinements of message contents as follows. 

Definition 3.4. Let C C bMSC be an MSC language over the set of messages 
A. We say that £ is implementable if there are some MPA 8 over some set of 
messages A! and some labelling A : A! — > A such that C = A(£fif 0 (S)). 

Note here that any implementable language consists of FIFO basic MSCs 
only because A (M) is FIFO as soon as M is FIFO. 

As the next result shows, the refinement of message contents by means of 
labellings helps the synthesis of MPAs from sets of scenarios. As opposed to the 
restrictive approach studied in [1, 14] which sticks to the specified set of message 
contents, labellings allow for the implementation of any finite set of basic MSCs. 
Actually the refinement of messages allows for the implementation of any regular 
set of FIFO basic MSCs. Recall here that an MSC language C C bMSC is called 
regidar if the set of corresponding linear extensions LE(£) = {LE(M) M 6 £} 
is a regular set of words. 

Theorem 3.5. [9, Th. 3-4] All regular sets of FIFO basic MSCs are imple- 
mentable. 

One main property of netcharts is the following. 

Theorem 3.6. [17] For any netchart N, £fifo(N) is implementable. 

Note that Theorem 3.6 fails if we forbid refinements, that is if we require 
that £fif 0 (N) = £fif 0 (S). The reason for this is again that there are finite sets of 
FIFO basic MSCs that are not realizable while they are netchart languages. 
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3.3 From Message Passing Automata to Netcharts 

In [17, Th. 6], it is shown that any regular MSC language is a netclrart language. 
However the converse fails: There are netchart languages that are not regular 
(see e.g. Example 3.3). Our first result characterizes the expressive power of 
netcharts and establishes the converse of Theorem 3.6. 

Theorem 3.7. Any implementable language is the MSC language of some 
netchart whose component MSCs consist only of a pair of matching events. 

We stress that Theorem 3.7 is effective: For any MPA § over the set of 
messages A' and any labelling A : A! — > A, we can build a netchart IN" such that 
£fifb(IN) = A(£fif 0 (S)). Theorem 3.7 subsumes [17, Th. 6] because all regular MSC 
languages are implementable (Th. 3.5) and there are implementable languages 
that are not regular (Ex. 3.3). The proof of Theorem 3.7 is rather tedious. It 
differs from the proof of [17, Th. 6] in that we do not assume the implementable 
language A(£fif 0 (S)) to be regular. 

Theorem 3.7 shows that the expressivity of netcharts coincides with the ex- 
pressivity of MPAs up to labellings. This leads us to a first answer to questions 
from [17]. 

Corollary 3.8. It is undecidable whether a netchart language is regular. 

Proof. We observe first that it is undecidable whether the language of some 
given MPA is regular. More precisely, similarly to the proof of [19, Prop. 7], for 
any instance of Post’s Corresponding Problem, we build some MPA § such that 
the instance has a solution iff £fifo(S) is not empty and in this case £fif 0 (S) is not 
regular. Now the proof follows from the effectiveness of Th. 3.7 with a labelling 
A = Id : A -> A. m 



4 Netcharts vs. High-Level Message Sequence Charts 

Let us now recall how one can build high-level MSCs from basic MSCs. First, 
the asynchronous concatenation of two basic MSCs Mi = (E 1; =<q, £i) and M 2 = 
(F/ 2 , =^ 2 ) £ 2 ) is the basic MSC M\ • M 2 = (E, =$,£) where E = E\ l±l E 2 , f = 
(iU( 2 and the partial order =<: is the transitive closure of =^1 U =^ 2 U {(ei, e 2 ) € 
Ei x E 2 | Ins(ei) = Ins(e 2 )}. This concatenation allows for the composition of 
specifications in order to describe infinite sets of basic MSCs: We obtain high- 
level message sequence charts as rational expressions, following thus the usual 
algebraic approach that we recall next. 

4.1 Rational Sets of MSCs 

For any subsets C and C of bMSC, the product of C by C is C ■ C = {x ■ x' \ x € 
C A x' G C}. We let 1 denote the empty basic MSC and we put £° = {1}. 
For any n € N, C n+1 = £"■£; then the iteration of C is C* = UneN^"- L i s 
also denoted (£) . A language C C bMSC is finitely generated if there is a finite 
subset r of bMSC such that C C (F) . A subset of bMSC is rational if it can 
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be obtained from the finite subsets of bMSC by means of unions, products and 
iterations. Any rational language is finitely generated. 

Definition 4.1. A high-level message sequence chart (HMSC) is a rational ex- 
pression of basic MSCs, that is, an expression built from finite sets of basic MSCs 
by use of union (+), product (■) and iteration (*). 

We follow here the approach adopted e.g. in [1, 2, 5, 8, 14, 19] where HMSCs 
are however often flattened into message sequence graphs. The set of MSCs 
corresponding to some HMSC TC is denoted by L<k- 

Example 4.2. Consider again the two components MSCs A and B of the 
netclrart Ni depicted in Fig. 7. As already observed in Example 3.3, the lan- 
guage £fjf 0 (iN' 1 ) is the set of all FIFO basic MSCs that consist only of messages 
a and b exchanged from i to j. This language corresponds to the HMSC (A+B)*. 



4.2 For Netchart Languages: Finitely Generated Means Rational 

As already observed in [17, Fig. 6], there are netcharts whose languages are not 
finitely generated. Clearly these netchart languages are not rational. We show 
here that it is undecidable whether a given netchart language is described by 
some HMSC (Cor. 4.4). As a first step, the next result shows that being finitely 
generated is sufficient for a netchart language to be rational. 

Theorem 4.3. For any netchart IN', £fif 0 (INf) is finitely generated iff it is the 
language of some HMSC. 

Proof. Let r be a finite set of basic MSCs over A such that £fif 0 (INf) C (r) . From 
Theorem 3.6, we can build some MPA S over a refined set of messages A' such 
that jCfifo(INr) = A(£fifo(§)) for some A : A' — > A. Let F' be the subset of FIFO 
basic MSCs M over A' such that A (M) g F. Then £fif 0 (INf) = A(£fif 0 (S) n ( r ')). 
Since £fifo(S)n(-r'} is recognizable and finitely generated, it is described by some 
globally cooperative HMSC [16, Th. 2.3]. ■ 

In [19, Prop. 7], it was shown that it is undecidable whether the language of 
some given MPA is finitely generated. Since the language of any MPA is also 
the language of some netchart that we can effectively build (Th. 3.7), we obtain 
easily a first corollary of Th. 4.3. 

Corollary 4.4. Given some netchart IN', it is undecidable whether Tfifo(IN') is 
described by some HMSC. 

Thus, it is undecidable whether a netchart language is rational. In the end 
of this section we show that the opposite question is undecidable, too (Th. 4.7). 

4.3 From HMSCs to Netcharts 

Let us now relate the notions of regularity and channel-boundedness in the 
framework of netcharts. Recall first that the channel-width of some basic MSC 
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M is the maximal number of messages that may be sent in a channel but not 
received along some linear extension of M. Formally, the channel-width of M is 

max {|u| i]x ■ — |u| - ?X j | u € LE (M) A v is a prefix of u}. 

A language of basic MSCs C C bMSC is called channel-hounded by an inte- 
ger B if each basic MSC of C has a channel-width at most B. It was observed 
in [8] that each regular MSC language is channel-bounded. In general the con- 
verse fails. However, for netchart languages the two notions coincide as the next 
elementary observation shows. 

Lemma 4.5. Let N he a netchart. The language £fifo(N) is regidar iff it is 
channel- bounded. 

This result may be seen as a direct consequence of Theorem 3.6 although 
it is much easier to prove it directly. With the help of Lemma 4.5 and Th. 3.5 
we can now easily characterize which channel-bounded FIFO HMSCs describe a 
netchart language. 

Theorem 4.6. Let 3i be a HMSC such that Cjc is channel-bounded and FIFO. 
Then is regidar iff is a netchart language. 

By means of the proof technique of [8, Th. 4.6], we can show easily that 
it is undecidable whether a channel-bounded FIFO HMSC describes a regular 
language. As a consequence, we get the following negative result. 

Theorem 4.7. It is undecidable whether the language of some given HMSC 
can be described by some netchart. This holds even if we restrict to HMSCs that 
describe channel-bounded languages. 

5 Two Positive Results for FIFO Netcharts 

We have proved in Cor. 3.8 that checking regularity of £fif 0 (N) is undecidable. 
To cope with this negative result, we introduce a subclass of netcharts for which 
regularity becomes decidable. This restriction was also considered at some point 
in [17]. 

Definition 5.1. A netchart. AT is called FIFO if any execution sequence of its 
low-level Petri net is a linear extension of some FIFO basic MSC. 

Figure 7 shows a non-FIFO netchart whereas Figure 4 shows a FIFO netchart. 
Interestingly, this subclass of netcharts is decidable and regularity is decidable 
in this subclass. 

Theorem 5.2. It is decidable whether a netchart is a FIFO netchart. 

Proof. We consider two distinct messages a and b from A°. These two messages 
are involved in four transitions i\ a j, jl a i, d b j and jri in the low-level net fPjp 
In order to check whether b can overtake a in some execution sequence of fPjj-, 
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we build a new Petri net from dV by adding some places and some transitions. 
More precisely, around the four transitions related to a and b and the two corre- 
sponding places depicted in gray in Fig. 8, we add 8 new transitions i\ ak j, jl ak i, 
i\ bk j and jl bk i ( k £ {1, 2}) and 18 new places drawn in black in Fig. 8. Observe 
that the new transition i\ ai j can be executed at most once; moreover in this 
case a token is put in the new place at its left. A similar observation holds for 
j? ai z, z! bl j, and j? bl z. Observe also that z! bl j can be executed only after i\ ai j 
whereas jl ai i can be executed only after jl bl i. Now each arc from a place p to 
the transition i\ a j is copied into an arc from p to il ai j and another arc from p to 
z!“ 2 j. We proceed similarly with places in i\ a j* and with the transition i\ b j. Now 
we claim that some MSC of d’jj- shows some overtaking of b over a iff the new 
Petri net admits an execution sequence that involves the transitions z! ai j and 
i\ bl j. We can check the existence of such an execution sequence by reachability 
analysis [15]. ■ 

Theorem 5.3. Regularity o/£fif 0 (N) is decidable for FIFO netcharts. 

Proof. By Lemma 4.5, we have to check whether £fif 0 (N) is channel-bounded. 
Since N has finitely many final states, we may assume that N has a unique 
final marking. Since £fifo(N) = 7r°(£fif 0 (J > N)), £fifo(N) is channel-bounded iff 
£fifo(5 > >r) is channel-bounded. Moreover £fifo(dV) is channel-bounded iff it is 
regular. Since N is FIFO, this holds iff the set of all execution sequences of d’w 
is regular. This question is decidable as shown by Lambert [12, Th. 5.2]. An 
alternative to this proof is to apply a recent and independent work by Wimmel 
[21] which is also based on [12]. ■ 



6 Getting Rid of the FIFO Restriction 

In this section we introduce an extended semantics for netcharts which includes 
non-FIFO MSCs. We show that most results in the FIFO semantics remain valid 
with this new approach. However we exhibit a netchart that is not implementable 
(Ex. 6.5). 

6.1 Non-FIFO Behaviors of Netcharts 

Let N be a netchart and dV be its low-level Petri net. The non-FIFO language 
£(5’>r) of dV consists of the (possibly non-FIFO) basic MSCs M such that each 
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linear extension from LE(M) is an execution sequence of In particular, 
consists of all FIFO basic MSCs of £(3V). When dealing with non- 
FIFO basic MSCs and labellings, one has to take care of degenerating MSCs. 



Definition 6.1. Let A\ and A 2 be two sets of messages and A : A\ — > A 2 be a 
mapping from A\ to /I 2 . A basic MSC M = (E, =<!,£) over A\ is called degener- 
ating with A if the dag A (M) = (E, -<■, A o £) is not the MSC dag of some basic 
MSC. 

Example 6.2. Consider the drawings of Fig. 9. The directed acyclic graph D' 
is obtained from the MSC dag D with the labelling ir° such that ai, 02 1 — ► a and 
bi 1 — > b. Since D' is not an MSC dag, the basic MSC D is degenerating with 7 r° . 

Since we do not want to deal with degenerate behaviors in this paper, we 
have to select from the basic MSCs of the low-level Petri net only those basic 
MSCs that are not degenerating with the labelling 7r°. 

Definition 6.3. The non-FIFO semantics C(N) of a netchart consists of the 
basic MSCs obtained from the basic MSCs of C(7yi) that are not degenerating 
with 7 r°: 

jC(IM) = {7t°(M) I M £ £(3 3 >j') A M is not degenerating with 7r°}. 

Example 6.4. Consider the netchart N 2 of Fig. 9 for which a marking m is final 
^ Sins(p)=i m (p) = 1 f° r ea °h instance i £ I. As explained in Example 6.2 the 
basic MSC D £ £(1P^ 2 ) is degenerating with n°. 




Fig. 9. Netchart N 2 and a degenerate behavior D' ( D ' £L £(N 2 )) 
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6.2 Non-FIFO Semantics of MPAs 

A rather natural non-FIFO semantics for MPAs and a corresponding notion of 
implementation may be defined as follows. First, the non-FIFO semantics £(§) 
of an MPA § consists of the (possibly non-FIFO) basic MSCs M such that each 
linear extension of M is an execution sequence of §. Now, an MSC language C is 
implementable under the non-FIFO semantics of MPAs if there are some MPA 
§ over some set of messages A' and some labelling A : A' — > A such that no MSC 
from £(§) is degenerating with A and C = A(£(S)). Differently from the FIFO 
semantics, there are netcharts that are not implementable under the non-FIFO 
semantics. 

Example 6.5. Continuing Example 6.4, the low-level Petri net of the netclrart 
N 2 depicted in Fig. 9 admits some non-FIFO executions. However all these ba- 
sic MSCs are degenerating with 7 r°: Therefore the non-FIFO semantics of N 2 
consists actually of FIFO basic MSCs only. More precisely, £(N 2 ) = £fif 0 (N 2 ) 
is described by the HMSC (A + B)* of Example 4.2. It is easy to show that 
this MSC language is not implementable under the non-FIFO semantics of 
MPAs. 



6.3 Extending Some Results From the FIFO to the Non-FIFO 
Semantics 

Theorems 3.7, 4.3, 4.6 and 4.7 can be established with the non-FIFO semantics 
by adapting the proofs slightly. Yet Corollaries 3.8 and 4.4 need to be more 
careful. 

Theorem 6.6. It is undecidable whether some netchart language £(N) is regu- 
lar (resp. can be described by some HMSC). 

Proof. The proof is based on the following key technical result: For any MPA 
§ over A° and any mapping A : A° — + A we can effectively build a netchart N 
such that £(N) = \(C\) where C\ be the set of basic MSCs M £ £(§) that are 
not degenerating with A. Now we apply again [19, Prop. 7]. Let 8 be some MPA 
over A. We consider A# = {#} and A : A — > {#}. By the above construction, we 
can build some netchart N such that £(N) = A(£fif 0 (S)) because C\ = £fif 0 (S). 
Then £(N) is finitely generated (resp. regular) iff £fjf 0 (§) is also finitely generated 
(resp. regular). ■ 

Discussion. These undecidability results rely essentially on the possible pres- 
ence of degenerating MSCs in the low-level Petri net. Similarly to results ob- 
tained for FIFO netcharts (Th. 5.2 and 5.3), we can check effectively whether 
a netchart admits some degenerating MSCs in its low-level Petri net. More- 
over, in case no such MSC appears, then £(N) is easily implementable un- 
der the non-FIFO semantics of MPAs and we can effectively check whether 
it is regular. Thus, it is quite useful to avoid degenerate behaviors. For this 
reason, we suggest that component MSCs should use disjoint set of messages 
(that is, messages should be private to transitions) because this simple re- 
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quirement ensures that no degenerating MSC appears in the low-level Petri 
net. 

Acknowledgements. Thanks to the anonymous referees for suggestions to im- 
prove the presentation of the paper. We thank also H. Wimmel for communicat- 
ing us paper [21]. 
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Basic Theory of Reduction Congruence for 
Two Timed Asynchronous 7r-Calculi 
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Abstract. We study reduction congruence, the most widely used no- 
tion of equality for the asynchronous 7r-calculus with timers, and de- 
rive several alternative characterisations, one of them being a labelled 
asynchronous bisimilarity. These results are adapted to an asynchronous 
7r-calculus with timers, locations and message failure. In addition we in- 
vestigate the problem of how to distribute value-passing processes in a 
semantics-preserving way. 



1 Introduction 

The 7r-calculus has been used to good effect as a tool for modelling and reason- 
ing about computation [ 6 , 7 , 18 , 23 , 26 ]. Unfortunately, it appears incomplete for 
compositional representation and verification of distributed systems. An impor- 
tant instance of what cannot be covered convincingly are network protocols, for 
example TCP, that implement reliable (under some mild constraints about the 
probability of message failures) FIFO channels on top of an unreliable message 
passing fabric. Typically, such protocols start a timer when sending a message 
and, if the corresponding acknowledgement doesn’t arrive early enough or not at 
all, a time-out initiates a retransmission. Timed Automata, Time(d) Petri Nets, 
Timed CCS and many other formalisms have been proposed to help express 
this or similar phenomena. Unfortunately, they all seem insufficient to give con- 
vincing accounts of advanced programming languages containing primitives for 
distribution, such as Java or the POSIX libraries. The two key shortcomings are 
the lack in expressivity of the underlying non-distributed formalism (e.g. finite 
automata or CCS do not allow precise and compositional modelling of Java’s 
non-distributed core) and incomplete integration of the different features that 
are believed to be necessary for modelling distributed systems (e.g. [1] lacks tim- 
ing and many timed process algebras do not feature message failures among their 
primitive operations). As an initial move towards overcoming this expressivity 
gap, [ 5 ] augmented the asynchronous 7r-calculus with a timer, with locations, 
message-loss, location failure and the ability to save process state. The present 
text, a partial summary of [ 4 ], takes the next step and starts the study of two ex- 
tensions in earnest by investigating the natural equality for 7r t , the asynchronous 
7r-calculus with timers and TT m it, the asynchronous 7r-calculus with timers and 
message failure. 

The remainder has two main parts. First, several characterisations of 7r t ’s 
reduction congruence, the canonical equivalence for asynchronous 7r-calculi [ 12 , 
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17], are obtained. The most useful of those is as a labelled bisimilarity. For 
other untyped 7r-calculi, weak labelled characterisations of reduction congruence 
have not been forthcoming, only sound approximations. 7iy is interesting because 
it allows to study the effect of combining discrete timing and name passing 
interaction, a line of inquiry long overdue. It also paves the way for the second 
part which studies 7r m ; t , a minimal extension of 7 q allowing convenient expression 
of basic distributed algorithms such as the aforementioned network protocol. We 
show that reasoning about 7r m ; t can be broken down into two parts: reasoning 
about processes, i.e. reasoing in Tr t , and reasoning about distributed interaction. 
A related aim is to devise a translation (•)* that allows to take a non-distributed 
process P | Q and locate it as [P*] | [Q*] in a semantics preserving way (here [•] 
denotes location) . This may help to reason about some properties of distributed 
processes using tools from centralised computing. That may not be possible 
for arbitrary P and Q but we identify a translation that works for a restricted 
class of processes and may be a good starting point for further investigations. 
The other main contribution of this second part is a characterisation of 7r m ;t’s 
reduction congruence by a barbed congruence [21], and a sound approximation 
by a labelled bisimilarity. 



2 Adding Discrete Timing to tt 

2.1 Syntax and Semantics of 7r t 

The 7r-calculus [16, 20] is a simple syntax for modelling computation as name- 
passing interaction. The key operational rule is 

(Com) x(y) | a:(u).P — > P{y/v} 

where the process x(y) sends the data y along a channel x (drawn from a count- 
ably infinite set A f of names) and another process x(u).P waits to receive data on 
the same channel x, called input subject. When the interaction happens, a:(u).P 
evolves into P {y/v}. The operator | is parallel composition. Finitely describable 
infinitary behaviour is achieved by way of a replication operation ! and interac- 
tion of P at x with the environment can be prevented by the restriction {vx)P . 

Our new syntax timed (:r(u).P, Q), with t > 0 being an integer, is straight- 
forward and completely standard. It supports two operations: (1) the time-out 
which means that after t steps it turns into Q, unless (2) it has been stopped, 
i.e. that a message has been received by the timer at x. 

(Stop) timed +1 (a:(u).P,Q) | x(y) — » P {y/v) 

The resulting calculus is given by the following grammar. 

P ::= x{y).P \ x(y) | P|Q | {vx)P | timed(a:(u).P, Q) | !x(u).P | 0 

We often abbreviate x() to x and write x.P in x().P’s stead. The asynchronous 
7 r-calculus is a sub-calculus of 7iy. The free and bound names of timers are: 
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fn(timer , (a;({i).P.Q)) = fn(x(u).P) U fn(Q), bn(timer*(a;(t)).P, Q)) = bn(x(u).P)U 
bn(Q). Structural congruence = is defined by the same axioms as in the asyn- 
chronous 7r-calculus, but over our extended syntax. 

The flow of time is communicated at each step in the computation by a time 
stepper function <f>, which acts on processes. It models the implicit broadcast of 
time passing and works equally well for labelled transitions and reductions. 



timed x (a;(0).Q,R) 

R 



m = { 



<i>mm 

(vx)(f>(Q) 



P 



P = timer' (x(ii).Q, R), t > 1 
P = timer' (x(v).Q, R ),t < 1 
P = Q|R 
P = (isx)Q 
otherwise. 



Here is how time stepping is used. 



(Par) P-fP' => P | Q — > P 7 |0(Q) 



The only difference with the corresponding rule of untimed calculi is that we 
have 4 >(Q ) rather than Q in the resulting process of the conclusion. It ensures 
that each active timer , that is any timer not under a prefix, is ticked one unit 
at each interaction. The additional rule 



(Idle) P -► 4>( P) 

prevents the flow of time from ever being halted by deadlocked processes. This 
means, 7 r* does not enforce progress assumptions that can be found in many 
models of timed computations. It is possible to add progress requirements later 
on top of 7 r t . Here are the remaining reduction rules. 

(Rep) !x(u).P | x{y) — » !x(v).P | P {y/v} 

(Res) P -> Q => (vx)P -► (ux)Q (Cong) P = P' -* Q' = Q=>P-^Q 

The corresponding labelled synchronous semantics is obtained from the con- 
ventional synchronous semantics [15] of the asynchronous 7r-calculus with the 
following new rules, the first of which replacing that for parallel composition. 

P -U P', bn(i) n fn(Q) =0 =► P | Q -U P' | <f>( Q) 
timer' +1 (x(u).P, Q) P{z/v} P ^>(P) 

Labels are given as l r | x(y) \ x{(vy)z). Contexts are standard except for 
two new rules: C\-\ ::= ... | timed (x(u).P, C"[-]) | timer t (x(u).(7 , [-], P). A binary 
relation 1Z on processes is a n t - congruence if it is an equivalence, if = C 7 Z 
and if P 1Z Q implies C[P] 1Z C[Q] for all contexts C[-]. The strong barb l x 
for 7r t is defined (up to =) by (1) x(y) | x ; (2) P => PjQ | x ; and (3) P | x , 
x ^ y (vy) P l x . A symmetric binary relation 7 Z on processes is a strong barbed 

bisimulation if it is a 7p-congruence and if P 7Z Q implies the following: (1) for 
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all names x : PJ. X implies QJ, X ; and (2) whenever P — > P' then there is a process 
Q' such that Q — > Q' and P' 1Z Q'. The largest strong barbed bisimulation ~ is 
strong reduction congruence. The corresponding notions of barbed bisimulation 
and reduction congruence « are derived by replacing^ with JJ. X and — > with — 
Here is the transitive and reflexive closure of — > and PJJ. X means P — >>- Q[ x 
for some Q. A binary relation TZ on processes is time-closed if P TZ Q implies 
<^(P) TZ 4>(Q). It will later emerge that « and ~ are time-closed. 



Examples (1) 

1. The process delay*(P) = (^x)timer , (x.O, P) implements a delay operator, as- 
suming x £ fn(P). For t units of time, it cannot interact at all, it behaves 
like 0, but then it evolves into P. It is comparable to the sleep operator in 
Java and can be used to implement cyclic behaviour: ( vx)(x | Irr.delay^P | x )) 
( x fn(P)) which spawns P every t+ 1 units of time. The delay operator is 
crucial in the proof of Theorem 2. 

2. The next example shows that we only need timer 1 (a:(u).P, Q) as timing con- 
struct. As all others can be built up by iteration of this basic form. De- 
fine Ti = timer 1 (a:(u).P, Q) and T t+ i = timer 1 (a:(u).P. T t ). Then T t ~ 
timer f (a;(u).P, Q) for all t > 0. 

3. Assume that P is a process of the form x(v).Q. Define P n to be 0 and let 
P" +1 = timer 1 (P, P"). Then P" is a process that offers the service P for n 
time units when it becomes unguarded. Note that P is offered only once. 
delay"(P m ) also offers P for n units of time, but not straight away. Instead 
the service is available only after m units of time. 

4. A variant of the previous example. Assume P = x(v).Q with fn(P) = {a;}, x ^ 
{u}. Let P° = 0 and set P" +1 = timer 1 (a:(u).(Q | P"), P"). Now P is offered 
for repeated use in P n , for n units of time, so we may invoke P up to n times. 



2.2 Why a Novel Kind of Timer? 

Before getting on with the technical development, we’d like to summarise the key 
reasons for devising our own reduction-based account of discrete timing rather 
than adapting one of the existing constructs. 

— A key design objective was simplicity and preservation of as much estab- 
lished 7r-calculus technology as possible. That ruled out labelled transitions 
with dedicated time passing actions to communicate the flow of time. The 
ability to use the simpler reduction semantics is advantageous because it is 
sometimes difficult to find suitable labelled semantics. It is trivial to adapt 
the timer proposed here to other models of computing, from Ambient Cal- 
culi [11], to A-calculi and Abstract State Machines [9]. This is currently not 
possible for labelled-transition based approaches to timing. 

— Some previous proposals exhibit behavioural anomalies, such as timers being 
able to stop themselves. This is caused, to put it simplistically, by less than 
ideal combinations of progress assumptions, the ability for time to pass under 
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unrestricted sums and computational steps having zero duration. The calculi 
proposed here do not suffer from these shortcomings. 

— Finally, we must emphasise that our timer is different from those where time- 
flow is communicated by labelled transitions only in its syntactic presenta- 
tion. Its behaviour is essentially identical. Semantically relevant differences 
between our calculus and its alternatives are a consequence of other design 
choices, for example progress assumptions or the presence of mixed choice, 
not of the presentation of timers by way of time-steppers. 

Our design of n t and n m i t is discussed in great detail in [4], which also contains 
comparisons with the alternative approaches. 

2.3 The Maximal Sound Theory 

Reduction congruence is often seen to be the most canonical equivalence for 
asynchronous 7r-calculi. This section looks at its incarnation for ir t . The presen- 
tation is close to [17] to facilitate comparison, but due to timers, proofs are quite 
different. 

A logic is a pair C = (F, b) comprising a set F of formulae and an entailment 
relation b C V(F) x F. In this section, F will always be pairs of ^-processes. 
References to the underlying logic C will often be omitted. A set T of formulae is 
a 7 T t -theory, or simply a theory , and its members are axioms. We write Tb P = Q 
whenever (T, (P, Q)) G b and call (P, Q) a theorem or consequence of T in C. If 
T b P = Q is not derivable, we write T 1/ P = Q. The set of all consequences of 
T in C is denoted | T (with the subscript C often omitted). T is consistent if 
| T | does not equate all processes, otherwise it is inconsistent. T is reduction- 
closed if T b P = Q and P — $ S>- P' implies the existence of a reduction sequence 
Q b- Q' such that T b P' = Q'. T is strongly reduction-closed if T b P = Q and 
P — ■> P' implies the existence of a reduction Q — > Q' such that Tb P' = Q'. In 
this section we only use ir t -logics (T, b) whose entailment is inductively defined 
such that | T | is a 7r t -congruence containing T. T is time-closed if T b P = Q 
implies T b ^(P) = 0(Q). 

As is well-known, there is no unique largest consistent and reduction-closed 
theory (Theorem 1.2 below), so we have to impose a mild additional constraint. 
Preservation of weak barbs is a popular choice, but requires a notion of observa- 
tion. Alas, it is not apriori clear what observing timed computations may entail. 
Fortunately, we can do without a notion of observation and will prove in The- 
orem 1 that [ x defined above is in fact a correct notion of barb. A process P is 
insensitive if it can never interact with any other process, i.e. P — b- Q implies 
an(Q) = 0. Here an(P), the active names of P, is given by induction on the 
syntax of P: an((z/a;)P) = an(P) \ {x}, an(PjQ) = an(P) U an(Q), an(0) = 0 and 
an(x(n).P) = an(!x(u).P) = an(timer*(x(n).P, Q)) = an (x(y)) = {x}. A 7r t the- 
ory is sound if it is consistent, reduction-closed and equates any two insensitive 
terms. 

The dramatic semantic effect of timers becomes apparent in the next propo- 
sition: we are guaranteed strong reduction-closure despite having stipulated only 
reduction-closure . 
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Proposition 1. Let T be sound. (1) If T b P = Q, then: P l x if and only if 
Q lx ■ (2) If T \- P = Q then for all appropriate x, v: T h P{x/v] = Q{ic/u}. 
(3) If T is a sound theory, then T is time-closed, (f) T is reduction-closed if 
and only if whenever T h P = Q, then, for all contexts C[-\, C[P] — > P' implies 
(7[Q] — > Q', for some Q' with Th P' = Q'. 

The key reason why requiring reduction-closure and congruency gives strong 
reduction-closure is (roughly) that we can use a process like timer 1 (a;(u).a, 0) to 
detect and signal the fact that P [ x by running both in parallel. After the first 
step of the clock, that ability disappears forever. Hence any process that wishes 
to be equated to P by a sound theory better be able to match any of P’s strong 
barbs immediately and not only after some reduction steps. 

With T max = |J{T | T is a sound theory} we can now state the existence 
and various alternative presentations of the maximal sound theory. 

Theorem 1. (1) T max is the unique sound theory such that | T | C | T max \ for 
all sound theories T . T max is called the maximum sound theory. (2) There is no 
largest consistent, reduction-closed theory. (3) \ T max | = 7} nax = ~ = rs. 

2.4 Labelled Semantics 

Reduction based equivalences are sometimes hard to use. To make reasoning 
easier, labelled semantics and associated notions of bisimilarities have been de- 
veloped for many untimed calculi. We shall now do the same for 7r t . A symmetric 
binary relation 72 is a strong synchronous bisimulation if P 72. Q and P P' 
means that there is a synchronous transition Q — Q' with P' 72 Q'. The 
largest strong synchronous bisimulation ~ is strong synchronous bisimilarity. 

Weak bisimilarity « is defined by replacing Q — Q' with Q — A>- Q' (1 is the 
usual T-erasing operation). 

The failure of the various synchronous bisimilarities to equate fw^ with 0 
has lead to asynchronous transitions [15] which model asynchronous observers. 
Since T max , unlike ss and equates f and 0, asynchronous bisimilarity might 
also be interesting in 7 p (here fw^ = \x(v).y(v)). But what are asynchronous 

transitions — ^ — > a ? Unfortunately, the straightforward adaptation to 7 p of the 
transitions introduced in [15] does not work, because the obvious rule for parallel 
composition 

P-U a P',bn(Z)nfn(Q) = 0 =► P j Q -U a P' | <0(Q) (1) 

does not connect asynchrony well with time passing. To see what goes wrong 
consider what it means to be an asynchronous observer. Interacting with a pro- 
cess to detect that it sends a message consumes one unit of time. The (Par) 
rule and its labelled counterpart (1) ensure that this time-step permeates all pro- 
cesses. Dually, testing that a process is inputting involves sending a message. But 
asynchronously entails that the observer cannot know exactly when the message 

has been consumed. Hence the observation should not be associated with 
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a time step, for otherwise a judiciously set timer could detect that interaction 
by the time it takes. So the rule (1) for parallel composition above may work 
incorrectly. We propose to split it in two: 

- P -U a P', l ± x{v), bn (Z) n fn(Q) = 0 =► P | Q P' | 0(Q) 

- P^„P', bn(Z) fl fn(Q) = 0 => P\Q^l a P'\Q 

The remaining rules for the inductive definition of — ^-> a are here: 

x(y) ~—>a 0 P —>a Q, x i fn(Z) U bn(Z) => (vx)P ~^ a (vx)Q 

x(y) | x{v).Q ——>a Q{y/h} x(y) \ \x(v).Q ~^ a Q {y/v} \ \x(v).Q 

x(y) | timer* (x(v).Q, R) a Q{y/v} P -^ a 

P=P',P'\Q' i Q' = Q=>p\ Q 0 °^l a x(z) 

P — > a Q,a yt x, a G {z\ \ {yj => (va)P > a Q 

The set of labels is the same as for synchronous transitions. Strong asyn- 
chronous bisimilarity ~ a and its weak counterpart are defined just as (strong) 
synchronous bisimilarity except that — l —> is replaced with — ^-> a . The next lemma 
shows that timers also wreak havoc with labelled equivalences. 

Lemma 1. Neither « nor ~ a and, ~ a are closed under parallel composition. 

As an example of what may go wrong, note that P = (ux)(x | timer 1 (x.y, 0))~ 
(vx)(x \ timer 1 (x.O, y)) = Q means P 1Z Q (72. is any of the four equivalences in 

Lemma 1) but Q | a ° - > - v ■■ > (yx)x cannot be matched by P | a. 

This failure of closure under parallel composition is caused by lacking time- 
closure. Let be the largest strong, asynchronous bisimulation that is also 
time-closed, with and «(, being defined similarly. Its easy to show that 

these four new equivalences are closed under parallel composition. Still, this does 
not guarantee congruency. 

Proposition 2. Assume x,y,a,b are fresh and distinct names. Define 
P = (va){x{a) | \y(v).v) 

Q = ( ua){x{a ) \ \y{v).v | timer 1 (y(u).(tJ | timer 1 (a.6, 0)), 0)). 

IflZ is one of~, « a , ~ a , ss', ft/ or ~' a , then P1ZQ but not P{x/y}lZ 
Q{.r/j/}. Consequently , IZ cannot be closed under any of the three available forms 
of input prefixing. 

In the asynchronous 7r-calculus, various reasonable equivalences are congru- 
ences. That this fails for 7 r* hints at renaming carrying non-trivial computational 
content. Interestingly, our example uses nested timers. It is conceivable that pro- 
hibiting nesting of timers results in a subcalculus where the relevant equivalences 
are renaming-closed. The next result shows that failure of renaming-closure is 
the only defect has vis-a-vis congruency. Define as the largest strong, 
time-closed, asynchronous bisimulation that is also renaming-closed. 
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Proposition 3. is the largest strong asynchronous bisimulation contained 
in ~ a that is also a congruence. 

The processes P and Q, defined just after Lemma 1, also show that fully 
abstract and compositional encodings [•] of 7Tt into the asynchronous 7r-calculus 
are impossible, when the equivalence 1Z on the source of the encoding is one of 
those mentioned in Lemma 1. Otherwise we could derive P ~ Q =>• [P] ~ [Q] =>■ 
[P] I lo] 1x1 [Q] | [a] => [P | a] ixi [Q | a] => P | a ~ Q | a (the target’s equivalence 
IX is only required to be closed under parallel composition for the encoding 
to be contradictory). The converse question is also interesting: can untimed 
subcalculi of ir t , for example the asynchronous 7r-calculus, be embedded? Once 
again the answer seems mostly negative: a translation [•] from 7r a into 7iy is 
barb- expansive if for all P and all names x we can find an integer n > 0 such 
that d([P],a:) > n • d( P,x). Here d(P,x) is the least n such that P ^—> — > QJ.a, 

n 

and lo if no such n exists. Then one can easily show the following. Assume the 
chosen 7r a -equivalence equates x with t.x. If [•] is a barb-expansive mapping 
from 7 r a into n t , then it cannot be complete with reduction congruence being 
7r t ’s equivalence. In particular, the syntactic inclusion of ir a into 7r t cannot be 
fully abstract. 

2.5 Characterising T max as 

In the asynchronous 7r-calculus, asynchronous bisimilarity soundly approximates 
the corresponding maximal theory, but does not characterise it, a counterexam- 
ple being x(y) |eq y2 and x(z) (eq^, where eq y2 = fw yz | fw zy [17]. The reason 
for their semantic equality is that eq, y2 turns any observation on y into a weak 
observation on z and vice versa. There is no way for a process in the asyn- 
chronous 7r-calculus to detect whether a name has come via eq yz or not. In 
7 r t this is different because forwarding takes time. This leads to the following 
labelled characterisation of reduction congruence. 

Theorem 2. T max = C C ~ a C m' a C ss a . In addition ~ C ss and 
« C w„. 

The proof is straightforward, except for showing T mayi C The key dif- 
ficulty is to establish that 7j nax b P = Q and P p' together imply 

Q '’'-dtH Q' for some Q' with b P' = Q'. Simplifying greatly, the proof 
uses a context like 

c[] = [}\x{v).n Zie - z n^\z i {...) 

which receives a tuple of names at x and encodes at what positions in the tuple 
v a name w was received by encoding these positions through the number of 
uninterrupted (even by r) outputs of w. Here Hie{i,...,n}P* — Pi|---|Pn and / is 
a suitable function allowing this encoding. The construction of / is delicate and 
omitted for brevity, but we cannot use simple functions like the identity i i, 
because C\-\ must be able to distinguish, for example, x(abaa) from x(aaab). 




Basic Theory of Reduction Congruence 123 



Both have the same number of as and bs. This is why we must code up not 
only how many times a name occurs in y but also at which positions. Using 
the observational capabilities of timers, we can distinguish processes that can 
output a fixed name n times, but not n + 1 times in an uninterrupted row from 
processes that can do more than n uninterrupted outputs of that name. Thus 
the sketched construction of C[] ensures that T max b C[ P] = C[Q] can only hold 
if Q can do exactly the same initial outputs as P, which is what was needed to 
be shown. The actual proof is more complicated and can be found in [4]. 

Examples (2). The next few examples show how easy it is to reason about 
Tmax with ~£. 

1. The identity forwarder fw 00 and 0 are strongly reduction congruent. To see 
this, define 7 Z up to = by fw EX | UiYifzf) 1Z n^y^Zi) whenever {?/,:,£*} C Af. 
Obviously 1Z is time- and renaming closed. Since all occurring processes are 
timer-free, idle transitions can trivially be matched. The only vaguely in- 
teresting transition fw xx | x(a) \ IIiyl(zi) — > a fw xx \ x(a) \ Il^Zi) is clearly 
matched by the idle transition x(a) \ n^yi^zf) — > a x(a) \ Iliyi(zi). 

2. To see that T max b T t = timer f (a;(0).P. Q), simply define the relation 1Z by 
T; | n™ =1 xi(yi) 1Z timer f (a:(u).P, Q) | n™ =1 xl{yi). Verification that 1Z has all 
the required closure properties is easy. 

3. Parallel composition and delay operators commute, i.e. T max b delay 4 (P|Q) = 
delay‘(P) | delay*(Q): consider 7 Z given by delay^PIQ) 7 Z delay 4 (P) | delay^Q). 
It is again straightforward to verify that TV U id is a renaming-closed, time- 
closed, asynchronous bisimulation. 

Locality. A process P is local no input is bound by another input, i.e. we do 
not allow processes like x(y).y(v). P. We denote 7r t restricted to local processes 
by 7 t\ oc . Local processes are convenient for modelling distributed computing. 

Theorem 3. All results stated so far also hold in nj oc . 

3 Adding Location and Message Failure 

One of the main uses of timers is to unblock computations after they became 
stuck due to some fault such as a lost message. This is inconvenient to model 
in 7Tf because it lacks message failures. To explore timers in a more realistic set- 
ting, this section augments 7r t with locations and non-byzantine message failure, 
obtaining 7r mit . 

3.1 Syntax and Semantics of 7r lt 

Processes in 7r m i t , called networks and closely related to, but not identical with 
[5], are parallel compositions of messages in transit x{y) and locations or sites 
[P] a which execute 7 r t processes. Restriction of names is also possible for networks 
using {vx). For simplicity P must be local and the subscript A contains the free 
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names that [P]a may use to receive data on. Messages in transit have left their 
source location but not yet arrived at the destination. Message failure occurs 
only in transit and can involve loss and duplication of messages. 

In summary, our networks are generated by the grammar below. 

N ::=x(y) | [P]a I Ni|N 2 | ( ra )N | 0 

N is well-formed, written b N, if b N is derivable using the following rules. 
(1) b 0 is always derivable; (2) b [P]^ if P is local and each free input subject 
in P is in A; (3) b N 1 1 N 2 if b Ni and b N 2 and, moreover, ap(Ni) D ap(N 2 ) = 0; 
(4) b (^x)N if b N. Here the access points ap(N) of a network N are given by: 
a p( [P] = A, ap(Ni|N 2 ) = ap(Ni) U ap(N 2 ) and ap((i/x)N) = ap(N) \ {x}. The 
free names of networks are given by fn(x(y)) = {x,y}, fn ( [P] = fn(P) U A, 
fn(M|N) = fn(M) U fn(N), fn((^x)l\f) = fn(N) \ {x}, fn(0) = 0. Bound names 
are omitted. In the remainder of this text, we assume that expressions involving 
networks such as [P]a are well-formed. In particular, quantifications like: “for 
all P and all A, [P]^ has property X” or even “for all P, [P]a has property X ” 
abbreviate the statement: “for all P and all A such that [P]a is well-formed, [P]a 
has property X” . On networks, = is generated by the axioms below. 

M = a N => M = N M | N = N | M 

L | (M | N) = (L j M) | N M | 0 = M 

x £ fn(M) => M|(i/x)N = (ux)(M|N) (vx){vy ) M = ( vy)(vx)M 
(vx)0 = 0 [(ux)M]a s (^x)[M] j4u{a; } 

[O] 0 = 0 P = Q =>■ [P]a = [Q]a 

One of the key objectives in the design of ir m it was to retain the seman- 
tics of the underlying 7r t , to allow separation of reasoning about networks from 
reasoning about processes. Hence the first reduction rule. 

(Intra) P Q => [P] A [Q]a 

Inter-site communication happens by message migration. 

(Out) x i A, [x(y)\P] A -> [^(P)]a|^) 

(In) x € A,[P} A \x(y) ^ [P \x(y)] A 

Incursion of one time step in (Out) is crucial for a smooth integration of 
7T( OC into 7 Tmit- Message failures arise from the following rules (which deal with 
messages in transit only). 

(Loss) x(y) -> 0 (Dupl) x(y) -> x(y) \ x(y) 

Many distributed systems offer only weak guarantees on the upper bound of 
inter-location clock drift. (Par) reflects this by not synchronising different sites 
through application of time-stepping. 

(Par) M M' => M|N ^ M'|N 
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The remaining rules are: 

(Cong) MeM'-»N'eM4-M^N (Res) M -► N => (i/a;)M -► (vx)N. 

A binary relation 1Z on processes is a 7 T m i t - congruence if it is an equivalence, 
if = C TZ and if P7HQ implies C[P] 7\1C[Q] for all network contexts C\-]. Network 
contexts are given by the grammar C[-] ::= [•] | C\-} | N | (i/x)C\-\. Barbs are 
generated by the following rules. M l x and x ^ ap(N) imply M|N [ x , Mjj and 
x ^ a imply (^a)M l x and x(y) l x . A symmetric binary relation 7 Z on networks is 
a strong barbed bisimulation if it is a 7 r m /t-congruence and if M 7Z N implies: (1) 
for all names x: M \, x => N J. x ; and (2) whenever M — > M' then there is a network 
N' such that N — * N' and M' 1Z N'. The largest barbed bisimulation ~ is called 
strong reduction congruence. Barbed bisimulation and reduction congruence « 
are derived as usual. 



Examples (3) 

1 . Let fw xy =\x(v).y(v). Then the network [x(a )]0 | [^ xy ] x | [fw yz ]y | [z(u).Q], 
tries to relay the message x{a) via two intermediate hops to [z(v).Q] z , 
where it will be used by Q. It can be seen as a distributed version of 
x(a) | fw^ | fw y2 | z(v). Q, but semantically it is rather different, due to 
message loss and duplication. 

2. The next example shows how to deal with message failure. 

[(isab)(x(ya ) |timer*(a,&) | \b.(x(ya) | timer*(a, 6)))|P].4 | [x(va).(a \ Q)]s- 

The location on the left sends a message to that on right and sets a timer 
to wait for an acknowledgement. If that doesn’t come in time, it resends the 
original message. 

3. We can also locate the time services of Example 1(3) as [delay I1 (P ,n )] y 4 but 
because there is no synchronisation of time between sites, this is not very 
effective: the location is bisimilar to [P © 0]a- 

The last example is indicative of 7 r m ;t’s being too asynchronous for realistic 
models of distributed systems. In other aspects, too, this calculus is overly ide- 
alising, for example in its lack of location failure. The point of n m i t is rather to 
facilitate the study of message failure in isolation, as a first step towards more 
realistic models. 

3.2 The Maximal Sound Theory 

The development in this section mirrors that for ir t with proof being similar, 
albeit more involved because of possible message failure. 7 r mit -logics (T, h) are 
like 7 Tt-logics, except that formulae are now pairs (M, N) of networks such that 
ap(M) = ap(N). 

As in 7 r t , there is no maximal consistent and reduction-closed theory. A 
network M is insensitive if an(N) = 0 for all reduction sequences M — $ N, 




126 M. Berger 



where active names for networks extend those of processes: an(x(j/)) = {a;}, 
an ([P]A) = an(P), an(M|N) = an(M)Uan(l\l), an((ra)N) = an(N)\{x}, an(0) = 0. 
A theory is sound if it is consistent, reduction-closed and identifies all insensitive 
terms. As before, we set T m ax = IJ{T | 'A is a sound theory}. is called the 
maximum sound theory. 



Theorem 4. (1) T max is the unique sound theory such that | T | C j T max \ for 
all sound theories T . (2) There is no largest, consistent, reduction-closed theory. 
(3) I T I — T — « ~ C « 

J | 1 max | — 1 max — 



3.3 Labelled Semantics 

As with 7r t , we present an asynchronous transition system — ^-» a . The induced 
asynchronous bisimilarity soundly approximates T max , but does not characterise 
it. Characterisation fails because the timers in different sites are not synchro- 
nised. The most interesting rule is that for parallel composition 

M -U a M',bn(Z) nfn(N) = 0, {l = x{{vy)z ) ^x(f ap(N)) => M|N -U a M'|N 



The reason for the side condition l = x{(vy)z) => x ^ ap(N) is that well- 
formed observers cannot input on channels that are in ap(N). 

The remaining rules follow. 



M — U 0 N, x fn (Z) U bn(Z) => (i'x)M — 'a q (i/x)N 

x fL A => [P|z(j/)]a ~^a [<^(P)]a I x(y) 

x G A => [P }a | x(y) —> a [P|®<2/)]a 

M = M' -U a N' = N => M -U a N x(z) 



n x(y) ... 

0 — > a x{y) 

x(v) n 
x{y) — > a 0 

X(z) ~—^a 0 
~^a X(z) | x(z) 



P -^a Q => [P ]a ~~^a [Q]A 
M N, a yf x, G {z} \ {£} => (va ) M 






N 



A symmetric relation TZ is an strong asynchronous bisimulation if (M, N) G 1Z 
implies whenever M — — > 0 M' then there is a transition sequence N — N such 
that M' 7 Z N'. The largest strong asynchronous bisimulation ~ a is called strong 
asynchronous bisimilarity. The largest asynchronous bisimulation « a is defined 
analogously. 

Theorem 5. (1) If T max P P = Q then [P]a ~ a [Q]^, where is the max- 
imal sound theory on n l t oc ; (2) ss a is a congruence; (3) « a is not closed under 

rc 

renaming. (4) ~ a C C 

To see that T max properly includes consider [P\eq y J\x{y)\ A ^ a [P\eq yz \x{z)\ A 
where A contains y, z and P is an arbitrary process. To verify that these two 
networks are related by T rnax , define T by 

[Pl^zlxiy^Hiei^idJUinjejajibj) T [Q|eq yz |x(y)|IZ ie /c7(di}]A|i7jeja7(&i) 
[P] et ly2 \Hi£i a i (^?:)] A | HjeJCj ( dj ) T [Q (eq.yj, | jCj (dj) 
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It is possible but laborious to verify that T U{(M,N)|M,N insensitive} is a 
sound theory. 

This theorem shows that 7r m ; t integrates and extends T: l t oc in a strong sense. 
Congruency and failure of renaming-closure can coexist because 7r m ; t does not 
have prefixing operators. 

3.4 Locating Processes 

How expressive is 7r m it compared with 7r t ? It might be possible to modify the sep- 
aration result in [10] to show that 7r t cannot (nicely) encode 7r m ; t . The other way 
round may be more interesting: how is (discretely timed) name-passing affected 
by message failure? Would it be possible to design a non-distributed process 
first - without having to worry about distribution - and then scaffold it so that 
it can function in a distributed setting? This roughly boils down to finding a 
transformation (•)* that allows to go from non-located, failure-free processes 
P | Q to [P*]a | [Q *]b in a semantics preserving way. Without message failure, 
that would not be a problem, but loosing messages might lead to deadlocks and 
duplicated messages may confuse a receiver. We suspect that no appropriate en- 
coding (•)* could work for all Tr t processes. But that does not mean translations 
must fail for all processes. As an example of a class of processes that allows 
distribution, let P.Q be timer free and x ^ fn(P) U fn(Q). Assume we wanted 
to distribute P | x(y) and x(v).Q as [(P | x(y))*]A | [(x(S).Q)*]b. By the condi- 
tions on free names, message duplication is no problem. To overcome message 
loss, we replace x(y) with ( vab)(x(ya ) Itimer^cqF) | lb.(x(ya) | timer f (a, b))) and 
x(v).Q with x(va).(a | Q) (a, b fresh and ignoring the scaffolding of P and Q for 
brevity), i.e. we do what TCP does to deal with message loss and add an explicit 
acknowledgement. If that isn’t returned in time, the original message is resent. 
The resulting distributed process is 

[P* | ( isab)(x(ya ) j timer' (a, b) \ lb.(x(ya) | timer* (a, 5 )))]a I [x(va).(a | Q*)]s- 

It is equated by T max with [P*]a | [Q*{y/0}]s as we sketch later. This trans- 
lation is quite inefficient, it even introduces divergence, but that does not matter 
because - due to the absence of inter-site clock synchronisation T max is diver- 
gence insensitive. More sophisticated variants of our translations are possible, 
the pragmatically most important being putting an upper bound on the number 
of retransmissions and making time-out times contingent on the number of failed 
retransmissions. It would also be possible to dispense with acknowledgement and 
time-outs altogether: simply use (z/a)(a| la.(x(y) |a)) to flood the receiver with 
an unbounded number of messages. This brute force approach is semantically 
sound under the aforementioned constraints, but it has less potential for gener- 
alisation and refinement, whether by using less asynchronous equivalences or by 
limiting the number of retransmissions. 

Continuing with the process above, we show that [P*]a | [Q*{j//'D}]B is related 
by « 0 to [P*|(^a6)(T(y)|timer f (a,6)J!6.(T(y)|timer f (a,6))] y i|[a:(va).(a|Q*)] s . Set 
U 4 = (timer' (a, 6) | \b.x{y) | timer 4 (a, b)). In addition, let R ® S, the internal sum 
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of R and S, be the process (Va)(a.R | a . S | a), where a is fresh. Then we can reason 
in little steps as follows. 

[P* I ( vab)(x(ya ) | U 4 )]^ | [a;(u~a).( 5 | Q*)]b 

= (^o6)([P* \x(ya) | U 4 ] Au{a6} | [a;(ua).(a | Q*)]s) 

« a (z/a&)([P* | U 4 ]^u{ a 6} | [x(ya) | x(ua).(a | Q*)] s ) 

« a (uab)([ P* | U'jAulah} I [a | Q*{^/xi}]s) 

« a (i/ab)([P* I U' I a] A u{ab} I [Q*{y/w}]s) 

= (^afe)([P* | \b.(x{ya) | timer 4 (o, 6)) |timer 4 (a,6) |o]^u{ab} I [Q*{2 /M]b) 
« a (1/06) ([P* | \b.{x(ya) | timer 4 (a, 6)) | 0 © b] A u{ab} I [Q*{y/ 5 }]s) 

« a (^afe)([P* |!fo.timer 4 (a,6) | 0 © 6 ] AU {a 6 } I [Q*{y/^}]s) 

« a (uab)([ P*Uu{ab} I [Q*{y/^}]s) 

= (^a6)[P*] Au{ab} | [Q*{2 /M]b 

«- [p'u 1 mm)B 

The justification of all the individual steps by defining appropriate bisimula- 
tions is straightforward, but rather tedious - [4] has all the details. 



4 Conclusion 

Models of timed computation are legion, we mention [8, 14] in lieu of a compre- 
hensive overview. A close look at the omitted proofs reveals that bound name 
passing plays no significant role - scope mobility seems orthogonal to timing, at 
least in this early stage of integration. This promises easy transfer of the pre- 
sented technology to other timed calculi. Formalisms for distributed computing 
are also too numerous to survey here. Most closely related are Dpi [24], Nomadic 
Piet [25] and the Join Calculus [13]. Other influential distributed extensions of 
7r-calculi can be found in [2, 3, 22]. Possibly the most important criticism of 7 r* is 
that it is too synchronous, but also too asynchronous for realistic models. Too 

synchronous because the absence of clock-drift forces many (in)equalities that 

tc rc . 

might be inappropriate, the coincidence of ~ and ~ being an example. Always 
allowing time to pass by (Idle) means that important progress assumptions can 
be expressed only indirectly, leading to the charge of too much asynchrony. By 
modifying the time-stepper cj > , it is possible to express clock-drift, thus coars- 
ening equivalences. Having all timers to be of the form timer t '"(a;(u).P, Q) for 
some fixed n > 1 may also be an important step towards more liberal equalities. 
Arbitrary progress assumptions can be studied by semantically restricting the 
set of valid traces. On the network level, 7r m ; t is also too asynchronous because it 
puts no constraints on inter-site clock-drift. With modern clock-synchronisation 
algorithms [19] it is possible to push clock-drift under the average inter-site com- 
munication latency (which is still many orders of magnitude above the duration 
of atomic computational steps). By modifying (Par) at the network level to 
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also apply </)(•), suitably augmented to allow intersite clock-drift, 7 r m ; t may also 
become more realistic. A multidimensional open problem looming large is the 
expressive power of 7r t and 7 r TO j t . One of its most interesting facets is the question 
if the translation in §3.4 could be refined to allow a larger class of 7T(-processes 
to be mechanically distributed into 7 r m ; t . 



References 

1. Abdulla, P. A., and Jonsson, B. Verifying programs with unreliable channels. 
Info. & Comp. 127, 2 (1996), 91 101. 

2. Amadio, R. M. An asynchronous model of locality, failure, and process mobility. 
In Proc. COORDINATION 97 (1997), vol. 1282 of LNCS. 

3. Amadio, R. M., and Prasad, S. Localities and failures. In Proc. FSTTCS’94 
(1994), vol. 880 of LNCS. 

4. Berger, M. Towards Abstractions for Distributed Systems. PhD thesis, Imperial 
College, London, 2002. 

5. Berger, M., and Honda, Iv. The Two-Phase Commit Protocol in an Extended 
7r-Calculus. In Proc. EXPRESS’OO (2000), vol. 39 of ENTCS. 

6. Berger, M., Honda, K., and Yoshida, N. Sequentiality and the 7r-calculus. In 
Proc. TLCA’01 (2001), vol. 2044 of LNCS. 

7. Berger, M., Honda, K., and Yoshida, N. Genericity and the 7r-Calculus. In 
Proc. FOSSACS’03 (April 2003), no. 2620 in LNCS, Springer, pp. 103-119. 

8. Bergstra, J. A., Ponse, A., and Smolka, S. A., Eds. Handbook of Process 
Algebra. Elsevier, 2001. 

9. Borger, E., and Stark, R. Abstract State Machines: A Method for High-Level 
System Design and Analysis. Springer, 2003. 

10. Carbone, M., and Maffeis, S. On the expressive power of polyadic synchroni- 
sation in pi-calculus. In Proc. EXPRESS’02 (2002), vol. 68 of ENTCS. 

11. Cardelli, L., and Gordon, A. Mobile ambients. TCS 2f0 (2000). 

12. Fournet, C., and Gonti-iier, G. A hierarchy of equivalences for asynchronous 
calculi. In Proc. ICALP’98 (1998), no. 1443 in LNCS. 

13. Fournet, C., Gontiiier, G., Levy, J.-J., Maranget, L., and Remy, D. A 
Calculus of Mobile Agents. In Proc. CONCUR (1996), vol. 1119 of LNCS. 

14. Hennessy, M. Timed process algebras: a tutorial. Tech. Rep. CS 1993:02, Uni- 
versity of Sussex, Computer Science Department, 1993. 

15. Honda, K. Two bisimilarities in //-calculus. Tech. Rep. 92-002, Keio University, 
Department of Computer Science, 1992. 

16. Honda, K., and Tokoro, M. On asynchronous communication semantics. In 
Object-Based Concurrent Computing (1992), no. 612, in LNCS. 

17. Honda, K., and Yoshida, N. On reduction-based process semantics. TCS 151 
(1995). 

18. Honda, K., and Yoshida, N. A uniform type structure for secure information 
flow. In P OP L ’02 (2002), ACM Press, pp. 81-92. 

19. Mills, D. Time synchronization server. URL http://www.eecis.udel.edu/' ntp/. 

20. Milner, R., Parrow, J., and Walker, D. A calculus of mobile processes, parts 
I and II. Info. & Comp. 100, 1 (1992). 

21. Milner, R., and Sangiorgi, D. Barbed bisimulation. In Proc. ICALP’92 (1992), 
vol. 623 of LNCS. 




130 M. Berger 



22. Riely, J., and Hennessy, M. Distributed processes and location failures. TCS 
226 (2001). 

23. Sangiorgi, D., and Walker, D. The n-Calculus: a Theory of Mobile Processes. 
Cambridge University Press, 2001. 

24. Sewell, P. Global/local subtyping and capability inference for a distributed pi- 
calculus. In Proc. ICALP’98 (1998), vol. 1442 of LNCS. 

25. Wojciechowski, P. Nomadic Piet: Language and Infrastructure Design for Mo- 
bile Computation. PhD thesis, University of Cambridge, 2000. 

26. Yoshida, N., Berger, M., and Honda, K. Strong Normalisation in the 7r- 
Calculus. In Proc. LICS’01 (2001), IEEE, pp. 311 322. The full version to appear 
in Journal of Information and Computation. 




Characterizing EF and EX Tree Logics 



Mikolaj Bojanczyk 1 * and Igor Walukiewicz 2 

1 Uniwersytet Warszawski, Banacha 2, 02-097 Warszawa, Poland 
2 LaBRI, Universite Bordeaux I, 351 cours de la Liberation, 
33405 Talence Cedex, France 



Abstract. We characterize the expressive power of EX, EF and EX+EF 
logics. These are the fragments of CTL built using the respective opera- 
tors. We give a forbidden pattern characterization of the tree languages 
definable in these logics. The characterizations give optimal algorithms 
for deciding if a given tree language is expressible in one of the three 
logics. 



1 Introduction 

We consider the definability problem for logics over binary trees: given a tree 
language decide if it can be expressed by a formula of the logic in question. The 
main motivation for considering this problem is to understand the expressive 
power of tree logics. Although a very old question, it has gained new relevance 
with XML community’s burgeoning interest in tree models [8]. Indeed, numerous 
new formalisms for describing tree properties have been recently proposed. 

For words the definability question is well studied and understood. Starting 
from the celebrated Sclrutzenberger theorem [12], characterizing star- free word 
languages by aperiodicity, numerous other language classes have been character- 
ized. In particular, we now have a good understanding of the expressive power 
of LTL and its fragments [14, 18]. This is in sharp contrast with the case of trees 
where much less is known. 

We feel that the major goal in the study of the definability problem for 
trees is to characterize the expressive power of first-order logic, or equivalently 
CTL* [1] (we consider finite binary trees here). It seems however that this is a 
difficult problem whose solution demands new tools and expertise. This is why 
we have decided to consider fragments of CTL* where the problem turns out to 
be easier. The fragments in question use the operators EX (there is a successor) 
and EF (there is a descendant). Apart from being a step towards solving the 
first-order definability problem, these fragments are interesting on their own. 
The model-checking problem for them is easier than for CTL: for example when 
a model is given by a BPP [2] or by a a push-down system [16]. The operators 
EX and EF are also closely related to path operators of XPatlr [5,4]. 
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We prove the definability problem decidable for three logics: EX, EF and 
EX+EF. These are built by using the eponymous operators along with boolean 
connectives. Our decision procedures use a sort of forbidden pattern character- 
izations which are expressed in terms of the minimal leaves-to-root automaton 
recognizing a given tree language. The resulting algorithms are polynomial in 
the number of states of the minimal automaton, or to say it differently, in the 
number of types of the tree language. If, on the other hand, we assume that the 
input is a CTL formula or a nondeterministic tree automaton then we obtain the 
EXPTIME upper bound matching the obvious lower bound for the problem. 

As mentioned above, not much is known about the definability problem. 
There exist basic results: characterizations of the class of regular tree languages 
by monadic second-order logic [15] or the mu-calculus [9]; equivalence of first- 
order logic and CTL* over finite binary trees [6]. Yet there is no equivalent of 
the Schutzenberger theorem for trees, indeed the decidability the problem is still 
open. There has been some work in this direction; in particular borrowing the 
notion of aperiodicity from the word case is known to be insufficient [11,7]. It 
is also a valid question to compare the characterizations presented in this paper 
with the ones in [18] for the corresponding logics for words. Although there is 
some resemblance between the two, our results need more than a straightforward 
extension of the forbidden pattern characterizations from the word case. This is 
in a way unfortunate because it suggests that an equivalent of the Schutzenberger 
theorem for trees may also require an intricate extension of the aperiodicity. 

The plan of the paper is as follows. After a preliminary section we briefly 
state a characterization of EX logic. This is very similar to a characterization 
of modal logics presented in the literature [10] so we mention the result mostly 
for completeness. In the next two sections we characterize the EF and EX+EF 
logics respectively. Maybe counterintuitively, the argument for the weaker EF 
logic is longer. In the penultimate section we summarize the results, showing 
how they imply decidability algorithms. Finally, we justify our characterizations 
by pointing out why the forbidden patterns known from the word case do not 
adapt directly to the tree case. 



2 Basic Definitions 

Let £ be a finite set called the alphabet. We will denote elements of £ by a, b, c, . . . 
and call them letters. 

A binary tree is a finite prefix-closed subset of {0, 1}* such that for every v £ 
{0, 1}*: z;0 is in the tree if and only if vl is. Allowing vertices with one successor 
would not change our results but would slightly complicate the notation. The 
empty sequence e is the root of the tree. For w, v £ {0, 1}*, we write w > v if v 
is a proper prefix of w: we call w a descendant of v. 

A £-tree is a function t : S — > £ where S' is a binary tree. By clom(f) we 
denote the domain of t, i.e. S. We use Trees(Y) to denote the set of JC-labeled 
trees. A £-language is any subset L C Trees(X). 
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Given a 17-tree t and v € dom(f), the tree t\ v : {w : v • w £ dom(f)} — > £ is 
defined by t\ v (w) = t(v ■ w). For two 17-trees to, t\ and a £ I 7, let a[to, ti] denote 
the unique 17-tree t such that t(e) = a, t|o = to and t|i = t\ . The substitution 
t[v := s] of a tree s in a node v of a tree t is defined in a standard way. 

A £ -multicontext is a tree C over the alphabet A7U{ [] } with the letter [] label- 
ing only leaves, called holes of C. For a multicontext C with n holes and X-trees 
t\, . . . ,t n the substitution operation C[ti, . . . ,t n ] is defined in the natural man- 
ner (ti being substituted in the leftmost hole, etc.) Given a function v assigning 
17-trees to the holes {iq, . . . , v n } in C, C[jz] is shorthand for C[v{v\), . . . , v(v n )\. 
A multicontext with only one hole v is called a context and denoted C[}. 

Two trees s and t are context equivalent when for all contexts C\\ we have: 
C[s] £ L if and only if C[t] £ L. An L-type is an equivalence class of this 
relation. Types will be denoted by letters: a, (3, ...We write type L {t) for the 
type of the tree t. Observe that the type of a tree a[to,ti) depends only on the 
letter a and the types of to and t\. This justifies the notation a[a o, oq] for some 
types Qto, cq ■ Similarly we write t[(3\ for the type of the tree t[s] where s is some 
tree of type (3. A language is regular if it has a finite number of types. 

The set of EX+EF formulas over an alphabet £ is defined by the following 
grammar: 

T ■.= £ \ T /\T \ T\/ T \ EXT \ EFlF 

The operators in the last two productions of this grammar are called the 
modalities. The validity of a formula (p in a tree t, denoted t 1= ip, is defined by 
induction on ip: 

— t \= a if a = t{e), for a £ £\ 

— validity for boolean operations is defined in the standard way; 

— t |= EXi^ if there is a node w € {0, 1} with t\ w 1= p\ 

— t\= EFp if there is a node w > e with t\ w 1= ip. 

Observe that EF has strict semantics. The formula A Xp is an abbreviation 
of ^EX^</?. The formula AG p is an abbreviation of ^EF-np. 

Given a set of modalities A4 C {EF,EX}, we use TL(A1) for the set of 
formulas constructed using boolean operations, letter constants and modalities 
from M. We say that a language L is TL {M) definable if and only if there exists 
a formula in TL(Ad) satisfied in exactly the trees from L. 



3 TL(EX) 

In this section we state a characterization of TL(EX)-definable languages. We 
do this for the sake of completeness since the characterization is essentially the 
same as in [10]. 

Definition 1. Two trees are identical up to depth k if they are the same when 
restricted to {0,l}- fc . We say that a language L is dependent on depth k if 
every two trees which are identical up to depth k have the same L-type. 
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A context is nontrivial if its hole is not in the root. 

Definition 2. Let L be a language and let a, 0 be two distinct L-types. We say 
that the language L contains an {a,/3}-loop if for some nontrivial context C[], 
both C[a] = a and C[0\ = 0 hold. 

Theorem 1. For a regular language L, the following conditions are equivalent: 

1. L is TL(EX) -definable; 

2. For some k £ N, L is dependent on depth k; 

3. L does not have an {a, 0}-loop for any two L-types a,0 . 



4 TL(EF) 

In this section we show a characterization of TL(EF) -definable languages. This 
is the most involved section of the paper, with a long technical proof. 

Before we can formulate the main theorem (Theorem 2) we need some auxil- 
iary definitions. We start with the key definition in this section: that of a delayed 
type. 

Given a A-tree t and a letter a £ E, we write t(a) to denote the tree obtained 
from t by relabeling the root with the letter a. With every A-tree t we associate 
its delayed type , which is the function: 

dtype L {t) : E — > Types(L) defined dtype L (t)[a) = type L (t(a )) . 

Note that the delayed type of a tree does not depend on the letter labeling its 
root. We will denote delayed types using the letters x, y, z. We write (x, a) <lV if 
there is a tree of delayed type y having a subtree of type x(a). We also write x<lV 
if ( x,a)<LV for some a £ E. This relation is a quasiorder but not necessarily a 
partial order, since it may not be antisymmetric. 

For delayed types x, y and letters a,b £ E, we write dtype L (x, a, y. b) for the 
delayed type which assigns to a letter c the type c[x(a),y(b)]. In other words, 
this is the delayed type of a tree whose left and right subtrees have types x(a) 
and y(b) respectively. The set of neutral letters of a delayed type x is the set 

= {a : x = dtype L (x, a, x, a)}. 

Definition 3. A E-language L is EF-admissible if it is regidar and all delayed 
types x, y and letters a,c £ E satisfy: 

PI The relation <Sl on delayed types is a partial order; 

P2 dtype L (x , a, y, b) = dt.ype L (x, a, y , b') for all b , b' £ Nff; 

P3 if (x, a) <s L y then dt.ype L (x,a,y,c) = dtype L (y,c,y,c); 

P 4 dtype L (x, a, y, c) = dtype L (y,c,x,a). 

Another important concept used in Theorem 2 is that of typeset dependency. 
The typeset of a 17-tree t is the set 

TS L (t) = { type L (t\ w ) : w £ dom(t) \ {e}} . 
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Note that the type of the tree itself is not necessarily included in its typeset. 
We say that a language L is typeset dependent if the delayed type of a tree 
depends only on its typeset. 

Our characterization of TL(EF) is presented in the following theorem: 
Theorem 2. For a regular language L, the following conditions are equivalent: 

1. L is TL(EF) -definable, 

2. L is typeset dependent, 

3. L is EF- admissible. 

The proof of this theorem is long and will be spread across the next two 
sections; the implications 1 => 2 and 3 => 1 being proved in Sections 4.1 and 
4.2 respectively. The implication 2 => 3 is a simple verification and is omitted. 
For the remainder of Section 4 we assume that an alphabet E along with a 
N-language L are fixed, hence we will drop the L qualifier from the notation, 
writing for instance <1 instead of 

4.1 A TL(EF)-Definable Language Is Typeset Dependent 

In this section, we will show that the language L is typeset dependent using the 
assumption that it is defined by some TL(EF) formula if. 

Definition 4. By cl (ip) we denote the smallest set of formulas that contains ip 
and is closed under negations and subformulas. 

It is not difficult to see that the type of a tree is determined by the set of 
those formulas from cl(ip) which it satisfies (although this correspondence need 
not be injective). Our first step is to show that for the delayed type, even less 
information is sufficient. 

Definition 5. An existential formula is a formula of the form EF tp. The signa- 
ture sig(t) of a tree t is the set of existential formulas from cl (ip) that it satisfies. 

Lemma 1. The signature of a tree determines its delayed type. 

Proof. Take two trees s and t with the same signatures. For a given letter a £ E, 
an easy induction on formula size shows that for all ip £ cl(ip): 

s(a) \= T iff t(a) |= <p. 

This is due to the fact that the modality EX is strict. Since the two trees s(a) 
and t(a) satisfy the same formulas from cl (ip), their types must be the same. As 
the choice of the letter a was arbitrary, this implies that the trees s and t have 
the same delayed types. 

Given two trees to,ti and a letter a £ E, we write sig(to,t\) instead of 
sig(a[to,ti\). This notation is unambiguous since sig(a[to, tij) does not depend 
on the letter a. 
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Given two types a and P, we denote by dtype(a, P) the delayed type which 
assigns to a letter a the type a [cc, j3\. A type a is reachable from a type P, denoted 
(3 =4 a, if C[f3\ = a holds for some context G'[]. This relation is a quasiorder and 
we use « for the accompanying equivalence relation. The following simple lemma 
is given without a proof: 

Lemma 2. If t' is a subtree oft, then sig(t',s) C sig(t,s). If a =4 f3 then 
dtypeia, (3) — dtype(/3, (3) . 

The following lemma shows that for TL(EF)-definable languages, the relation 
w is a congruence with respect to the function dtype(a, (3): 

Lemma 3. If a 0 ~ Po and oq « /3q then dtype(ao,ai) = dtype(Po, Pi). 

Proof. Since a TL(EF)-definable language satisfies dtype(a,/3) = dtype{(3,a), it 
is sufficient to prove the case where Pi = aq. Let C[ ] be a context such that 
C[a o] = po and let D\\ be a context such that D[p 0 ] = a 0 - All these contexts 
exist by assumption. Let so be a tree of type ao and let si be a tree of type aq. 
Consider the two sequences of trees {s,:}j>o and o defined by induction as 

follows: 

so = so; 

ti = C[si ] for i > 0; 

Si = D[ti_ i] for i > 1. 

By a simple induction one can prove that for all i > 0, 
type(si) = a 0 and type(ti ) = P 0 ■ 

By Lemma 2, for all i > 0 



sig(si,s i) C sig(ti,s i) C sig(s i+ i,si) . 



Since there are only finitely many signatures, there must be some i > 0 
such that sig(si,s i) = sig(ti,si). Consequently, by Lemma 1, the delayed types 
dtype(oiQ,ai) and dtype(po, oq) are equal. 

We are now ready to show that the language L is typeset dependent. Let s 
and t be two trees with the same typeset. If this typeset is empty, then both 
trees have one node and, consequently, the same delayed type. Otherwise one 
can consider the following four types, which describe the sons of s and t: 

a 0 = type(s | 0 ) aq = type{s\i) p 0 = type(t | 0 ) Pi = type{t |i). 

We need to prove that dtype(Po, Pi) = dtype(ao,cei). By assumption that 
the typesets of s and t are equal, both po and Pi occur in nonroot nodes of 
s and both ao and oq occur in nonroot nodes of t. Thus Po =4 ct holds for 
some a £ {ao,ai} and similarly for pi, ao and oq. The result follows from the 
following case analysis: 
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— 0o,0i =$ a for some a € {ao,ai}. By assumption we must have a =4 0 

for some 0 € { /?o , /3i } - Hence a ~ 0. By Lemma 3 we get dtype(a,a) = 
dt.ype(0,0). As 0o,0i =4 a / 3, from Lemma 2 we obtain dtype(0 o,0i) = 

dtype(0, 0). Similarly one proves the equality dtype(ot\,a .2 ) = dtype(a,a). 

— ao,ai =4 0 for some 0 € {0o,0i}- As in the case above. 

— A short analysis reveals that if neither of the above holds then 0o =4 CL: 0o 

and 0i =4 cti-i =4 0i for some i G {0, 1}. Therefore 0q w a* and 0\ ~ «i-i 
and an application of Lemma 3 yields the desired result. 



4.2 A EF- Admissible Language Is TL(EF)-Definable 

We now proceed to the most difficult part of the proof, where a defining TL(EF) 
formula is found based only on the assumption that the properties PI to P4 are 
satisfied. We start by stating a key property of EF-admissible languages which 
shows the importance of neutral letters. 

Lemma 4. If the delayed type of a tree t is y, then its every proper subtree with 
delayed type y has the root label in N y . 

Proof. Consider some proper subtree t\ v of delayed type y and its root label 
b = t(v). Let w be the brother of the node v and let z, c be its delayed type and 
label, respectively. Obviously (z, c)<y. By property P3 we get dtype(y , b , z, c) = 
dtype(y,b, y,b) and consequently dtype(y,b,y,b) <y. As < is a partial order by 
PI and since y <dtype(y,b, y,b) holds by definition, we get dtype(y,b,y,b) = y. 
Hence b belongs to N y . 

Note that if the trees t and t\ v have delayed type y, then so does the tree t\ w 
for any w < v, because < is a partial order. In particular, the above lemma says 
that nodes with delayed type y form cones whose non-root elements have labels 
in N y . 

Formulas Defining Delayed Types. A delayed type x is definable if there is 
some TL(EF) formula 6 X true in exactly the trees of delayed type x. 

The construction of the 9 X formulas will proceed by induction on the < order. 
The first step is the following lemma: 

Lemma 5. Let y be a delayed type such that all types z <y are definable. For 
every delayed type x there is a TL(EF) formula fork y such that: 

t \= forky iff dtypeft ) = y and for all w > e, dtype(t\ w ) <1 x. 

The proof of this lemma is omitted here. We would only like to point out 
that some effort is required, since the fork y formula is not allowed to use the EX 
operator. 

We will use this lemma to construct a formula 9 X defining x. For the rest of 
Section 4.2 we fix the delayed type x and assume that every delayed type y < x 
is definable by a formula 9 y . 
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The first case is when x has no neutral letters. By Lemma 4, in a tree of 
delayed type x both sons have delayed types smaller than x, since there are no 
neutral letters for x. In this case we can set 

d x =fork x x . (1) 

The correctness of this definition follows immediately from Lemma 5. 

The definition of 9 X is more involved when the set of neutral letters for x is 
not empty. The rest of Section 4.2 is devoted to this case. 

Consider first the following formula: 

Oj = (EF \/{b A 0 V : y<x A (y, b) ^ x}) V \J {fork* : y ^ x} 

The intention of this formula is to spell out evident cases when the delayed 
type of a node cannot be x. The first disjunct says that there is a descendant with 
a delayed type and a label that prohibit its ancestors to have type x. The second 
disjunct says that the type of the node is not x but the types of all descendants 
are <x. This formula works correctly, however, only when some assumptions 
about the tree are made. These assumptions use the following definition: a tree 
t satisfies the property OK a; (t) if 

dtype(t ) <x or dtypeft) = x and t{e) € N x . 

Lemma 6. Let t be a tree where OK^fl,,) holds for all v > e. This tree satisfies 

if and only if dtype(t) x. 

Proof. The left to right implication was already discussed and follows from the 
assumptions on the 9 y formulas used in 9 ^ and from Lemma 5. 

For the right to left implication, let dtypelt) = dtype(y,b, z,c) with y,b,z,c 
describing delayed types and labels of the nodes 0 and 1 which correspond to 
the left and right sons of the root. We consider three cases: 

— y = z = x. This is impossible because OK x (t| 0 ) and OK a; (t| 1 ) hold, so the 
labels a, b must belong to N x , and thus dtype(t) = x. 

— y = x and z < x. Since OK^ilo) holds, the label b belongs to N x . If the 
inequality (z,c)<x were true (which is not necessarily implied by our as- 
sumption that z <ix), then by property P3 we would have 

dtype(t ) = dtypefy , b , z, c) = dtype(x, b, z, c) = dtype{x, b, x, b) = x , 

a contradiction with dtype(t) x. Therefore we have (z, c) x and hence 
the first disjunct of 9 ^ holds. The case where z = x and y < i x is symmetric. 

— y, z <1 x. In this case the second disjunct in the definition of 9 y must hold by 
Lemma 5. 

Let 9 <x stand for \/ y<x 9 y and consider the formula 

ip x — 9^ x V (“ 1 9 y A \J {ct : a € N x } ) . 

This formula will be used to express the OK^f) property. We use AG* as the 
non-strict version of AG, i.e. AG*(/? is an abbreviation for the formula ip A AG ip. 
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Lemma 7. A tree t satisfies AG *ip x iff OK x (t\ v ) holds for all v >e. 

Proof. By induction on the depth of the tree t. 

=> If t satisfies <p x because it satisfies 9 <x , then obviously OKa;(i|„) holds for all 
v > e. Otherwise we have 

t(e) £ N x and t Y- 9y . 

By induction assumption, OK^ (t |„) holds for all v > e. But then, by Lemma 6, 
dtype(t)<x. This, together with t X 9 <x gives dtypeft ) = x and hence OK x (i). 
<t= Let t be such that OK x (f| w ) holds for all v > e. By induction assumption, 
we have AG<^ X . We need to prove that t satisfies ip x . If type(t)< \x holds, then 
t satisfies 9 <x and we are done. Otherwise, as OK x (u) holds, dtype(t) = x 
and t[e) £ N x . Hence, by Lemma 6, t satisfies the second disjunct in p x . 

Since the type of a tree can be computed from its delayed type and root 
label, the following lemma ends the proof that every EF-admissible language is 
TL ( E F) definable: 

Lemma 8. Every delayed type is definable. 

Proof. By induction on the depth of a delayed type x in the order <j . If x has 
no neutral letters then the defining formula 9 X is as in (1). Otherwise, we set the 
defining formula to be 

9 X = ~'9 < lx A ->9# A AG<^ X . 

Let us show why 9 X has the required properties. By Lemma 7, 

t h AG p x iff OKa^tlu,) for all w > e. (2) 

If t 1= 9 X then we get dtypeft ) = x using Lemma 6 and (2). For the other 
direction, if dtypeft) = x then clearly ~^9 <x holds in t. By Lemma 4, OK a; (t| u ,) 
holds for all w > e, therefore t satisfies AG p x by (2), and then the formula ~^9^ 
holds by Lemma 6. 



5 TL(EX, EF) 

The last logic we consider in this paper is TL(EX, EF). As in the previous sections, 
we will present a characterization of TL(EX, EF)-definable languages. For the 
rest of the section we fix an alphabet E along with a A-language L and will 
henceforth omit the L qualifier from notation. 

Recall the type reachability quasiorder along with its accompanying equiv- 
alence relation «, which were defined on p. 136. The ^-equivalence class of a 
type a is called here its strongly connected component and is denoted SCCi(a). 
We extend the relation =<: to SCCs by setting: 

r 4 a if a 4 (3 for some a £ T and j3 £ A\ 

a 4 r if a 4 (5 for some (3 £ T. 
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We use the standard notational shortcuts, writing r -< A when F =<! A but 
not F = A; similarly for a -< r. 

Let r be some SCC and let left. The ( r,k)-view of a tree t is the tree 
viewer , k. t) whose domain is the set of nodes in t at depth at most k and where 
a node v is labeled by: 

— t(v) if v is at depth smaller than fc: 

— type(t\ v ) if v is at depth k and type(t | „) -< T; 

— ? otherwise. 

Let views ( T, k) denote the set of possible (T, fc)-views. The intuition behind 
the (r, k)-v iew of t is that it gives exact information about the tree t for types 
which are ==! smaller than L\ while for other types it just says “I don’t know” . 
The following definition describes languages where this information is sufficient 
to pinpoint the type within the strongly connected component r. 

Definition 6. Let k £ N. The language L is (T, k) -solvable if every two trees s 
and t with types in r and the same (T, k) view have the same type. The language 
is ^-solvable if it is (T, k) -solvable for every SCC T and it is SCC-solvable if it 
is k-solvable for some k. 

It turns out that SCC-solvability is exactly the property which characterizes 
the TL(EX, EF)-dehnable languages: 

Theorem 3. A regular language is TL(EX, EE) -definable if and only if it is 
SCC-solvable. 

The proof of this theorem will be presented in the two subsections that follow. 

5.1 An SCC-Solvable Language Is TL(EX, EF)-Definable 

In this section we show that one can write TL(EX, EF) formulas which compute 
views. Then, using these formulas and the assumption that L is SCC-solvable, 
the type of a tree can be found. 

Fix some k such that L is fc-solvable. Let views(a) be the set of possible 
(T, fc)-views that can be assumed in a tree of type a £ T. By assumption on L 
being fc-solvable, we have: 

Lemma 9. Let t be a tree such that typeft) =4 ct. The type oft is a if and only 
if its (SCC (a), k) -view belongs to the set views(a). 

The following lemma states that views can be computed using TL(EX, EF). 
We omit the simple proof by induction. 

Lemma 10. Suppose that for every type (3 -< T, there is a TL(EX, EF) formula 
Op defining it. Then for every i £ N and every s £ views (T, i) there is a formula 
ip s satisfied in exactly the trees whose ( r,i)-view is s. 

We define below a set of views which certainly cannot appear in a tree with 
a type in a strongly connected component T : 

Bad(T) = {a[s,£] : s £ views(a),t £ views (P), where a,/3 =4 T, a[a,f3\ ^ T} U 
{t : type(t) ^ T and dom(f) = {e}} 
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Observe that Bad(/ n ) is a set of (T, k + l)-views. The following lemma shows 
that the above cases are essentially the only ones. 

Lemma 11. For a tree t and an SCC T, the following equivalence holds: 

type(t) ^ r iff viewer, k + 1, t\ v ) £ Bad(T) for some v £ dom(f). 

Proof. Both implications follow easily from Fact 9 if one considers the maximal 
possible node v satisfying the right hand side. 

The following lemma completes the proof that L is TL(EX, EF) -definable. 

Lemma 12. Every type of L is TL(EX, EF) -definable. 

Proof. The proof is by induction on depth of the type in the quasiorder =<:. 
Consider a type a and its SCC P. By induction assumption, for all types (3 -< T, 
there is a formula dp which is satisfied in exactly the trees of type (3. Using the Op 
formulas and Lemma 10 we construct the following TL(EX, EF) formula (recall 
that AG* is the non-strict version of AG defined on page 138): 

0 r = AG* f\ 

£6Bad(i"’) 

By Lemma 11, a tree t satisfies Or if and only if t.ypeft) =4 -T. Finally, the 
formula 0 a is defined: 



0 a = Or A \J ip t - 

t£views(a) 

The correctness of this construction follows from Fact 9. 

5.2 A TL(EX,EF)-Definable Language Is SCC-Solvable 

In this section, we are going to show that a language which is not SCC-solvable 
is not TL(EX, EF)-definable. For this, we introduce an appropriate Elrrenfeucht- 
Frai'se game, called the EX+EF game , which characterizes trees indistinguishable 
by TL(EX, EF)-formulas. 

The game is played over two trees and by two players, Spoiler and Duplicator. 
The intuition is that in the k-round EX+EF game , the player Spoiler tries to 
differentiate the two trees using k moves. 

The precise definition is as follows. At the beginning of the fc-round game, 
with k > 0, the players are faced with two trees to and t\. If these have different 
root labels, Spoiler wins. If they have the same root labels and k = 0, Duplicator 
wins; otherwise the game continues. Spoiler first picks one of the trees C, with 
i £ {0, 1}. Then he chooses whether to make an EF or EX move. If he chooses 
to make EF move, he needs to choose some non-root node v £ dom(tj) and 
Duplicator must respond with a non-root node w £ dom(fi_j) of the other tree. 
If Spoiler chooses to make an EX move, he picks a son v £ {0,1} of the root in 
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tj and Duplicator needs to pick the same son w = v in the other tree. If a player 
cannot find an appropriate node in the relevant tree, this player immediately 
looses. Otherwise the trees tj|„ and t\-i\ w become the new position and the 
(k — l)-round game is played. 

The following lemma is proved using a standard induction: 

Lemma 13. Duplicator wins the k-round EX+EF game over t 0 and t\ iff to 
and t\ satisfy the same EX+EF formulas of modality nesting depth k. 

For two types a, (3 £ T we define an (a, (3) -context to be a multicontext C 
such that there are two valuations of its holes u a , up : V — > T giving the types 
C[u a ] = a and C[up) = (3. The hole depth of a multicontext C is the minimal 
depth of a hole in C . A multicontext C is k-bad for an SCC r if it has hole 
depth at least k and is an (a, dj -context for two different types a, (3 € T. 

Lemma 14. L is not SCC-solvable if and only if for some SCC T and every 
k £ N, it contains multicontexts which are k-bad for T. 

Proof. A fc-bad context exists for T if and only if L is not (T, fc)-solvable. 

The following lemma concludes the proof that no TL(EX, EF) formula can 
recognize a language which is not SCC-solvable: 

Lemma 15. If L is not SCC-solvable then for every k there are trees s £ L and 
t L such that Duplicator wins the k-round EX+EF game over s and t. 

Proof. Take some k £ N. If L is not SCC-solvable then, by Lemma 14, there is a 
multicontext C which is fc-bad for some SCC T. Let V = {i>i, . . . , v n } be the holes 
of C, let u a , up : V — * T be the appropriate valuations and a = C[u a ],/3 = C[up] 
the resulting types. We will use this multicontext to find trees s £ L and t (jL L 
such that Duplicator wins the fc-round EX+EF game over s and t. 

Since all the types used in the valuations u a and up come from same SCC, 
there are contexts Cf [],... , C“[] and Cf [],... , C% [] such that 

Cf[a] = up(vi) Cf \f3\ = u a (vi) for all i £ {1, . . . ,n}. 

This means there are two contexts D a and D ^ with n holes each, such that: 
1) D a and D 13 agree over nodes of depth less than fc; 2) when all holes of D a 
are plugged with (3, we get the type a; and 3) when all holes of D' 3 are plugged 
with a, we get the type (3 . These are obtained by plugging the appropriate 
“translators” Cf[] and Cf [] into the holes of the multicontext C. Let to be some 
tree of type a. The trees tj for j > 0 are defined by induction as follows: 



n times 




n times 



t2i+2 — D a (t2i+l , • • • , t2i+l\ ■ 



By an obvious induction, all the trees t- 2 i have type a and all the trees t 2 i+\ 
have type /?. As (3 ^ a, there exists a context D[] such that D[a] £ L and 
D\f3\ L (or the other way round). 
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To finish the proof of the lemma, we will show that Duplicator wins the 
fc-round EX+EF game over the trees 

s = D[t 2 k+ 2 ] and t = D[t 2k+ 1 ] ■ 



The winning strategy for Duplicator is obtained by following an invariant. 
This invariant is a disjunction of three properties, one of which always holds 
when the z-round game is about to be played: 



1. The two trees are identical; 

2. The two trees are s|„ and t\ v for some |u| < k — z; 

3. The two trees are t m |„ and t m - 2 \ v for 



m > k + i + 1 and 



v G dom(D“) 
v G dom(D /3 ) 



if to is even; 
if to is odd. 



The invariant holds at the beginning of the first round, due to 2, and one can 
verify that Duplicator can play in such a way that it is satisfied in all rounds. 
Item 2 of the invariant will be preserved in the initial fragment of the game when 
only EX moves are made, then item 3 will hold until either the game ends or 
item 1 begins to hold. 



6 Decidability 

In this section we round up the results by showing that our characterizations 
are decidable. 

Theorem 4. It is decidable in time polynomial in the number of types if a lan- 
guage is: 

— TL(E X) -definable; 

— TL(EF) -definable; 

— TL(EX, EF) -definable. 

Proof. Using a simple dynamic algorithm, one can compute in polynomial time 
all tuples (a, /?, a', /?') such that for some context C'[], C[a } = a' and C\f5\ = (3' . 
Using this, we can find in polynomial time: 

— Whether L contains an {a, /3}-loop; 

— The =4l and relations on types. 

Since the delayed type of a tree depends only on the types of its immediate 
subtrees, the number of delayed types is polynomial in the number of types. The 
relation <l on delayed types can then be computed in polynomial time from 
the relation =4l. Having the relations and <l, one can check in polynomial 
time if L is EF-admissible. 
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This, along with the characterizations from Theorems 1 and 2, proves decid- 
ability for TL(EX) and TL(EF). The remaining logic is TL(EX, EF). 

By Theorem 3, it is enough to show that SCC-solvability is decidable. In 
order to do this, we give an algorithm that detects if a given SCC T admits 
bad multicontexts of arbitrary size, cf. Lemma 14. Fix an SCC T. We define by 
induction a sequence B l of subsets of f x F. 

- B° = T x r. 

— (a, f3) e B l+1 if (a, j3) € B l and either 

• there is a pair (a',/3') € B l , a type 7 -X T and a letter a € S such that 
type(a[a', 7]) = a and type(a[(3' , 7]) = /3; or 

• there are pairs (a', /?'), (a", /?") € B l and a letter a £ S such that 
type(a[a' , a”}) = a and type(a[/3', j3"\) = (3 

The sequence B l is decreasing so it reaches a fix-point B°° in no more than 
|T| 2 steps. The following lemma yields the algorithm for TL(EX. EF) and con- 
cludes the proof of Theorem 4: 

Lemma 16. r admits bad multicontexts of arbitrary size iff B 00 yf 0. 

Corollary 1. If the input is a CTL formula or a nondeterministic tree automa- 
ton, all of the problems in Theorem 4 are ExPTlME-corapZefe. 

Proof. Since, in both cases, the types can be computed in time at most expo- 
nential in the input size, the Exptime membership follows immediately from 
Theorem 4. For the lower bound, one can use an argument analogous to the one 
in [17] and reduce the ExPTlME-hard universality problems for both CTL [3] 
and nondeterministic automata [13] to any of these problems. 

7 Open Problems 

The question of definability for the logics TL(EX), TL(EF) and TL(EX, EF) has 
been pretty much closed in this paper. One possible continuation are logics where 
instead of EF, the non-strict modality EF* is used. The resulting logics are weaker 
than their strict counterparts (for instance the language EFa is not definable in 
TL[EF*]) and therefore decidability of the their definability problems can be 
investigated. Another question is what happens if we enrich these logics with 
past quantification (there exists a point in the past)? This question is particularly 
relevant in the case of TL(EX, EF), since the resulting logic coincides with first- 
order logic with two variables (where the signature contains < and two binary 
successor relations). Finally, there is the question for CTL. Note that on words 
CTL collapses to LTL and hence first-order logic, so such a characterization 
would subsume first-order definability for words. 
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Abstract. We study the expressiveness of finite message-passing au- 
tomata with a priori unbounded FIFO channels and show them to cap- 
ture exactly the class of MSC languages that are definable in existential 
monadic second-order logic interpreted over MSCs. Moreover, we prove 
the monadic quantifier-alternation hierarchy over MSCs to be infinite and 
conclude that the class of MSC languages accepted by message-passing 
automata is not closed under complement. Furthermore, we show that 
satisfiability for (existential) monadic seconder-order logic over MSCs is 
undecidable. 



1 Introduction 

A common design practice when developing communicating systems is to start 
with drawing scenarios showing the intended interaction of the system to be. 
The standardized notion of message sequence charts (MSCs, [7]) is widely used 
in industry to formalize such typical behaviors. 

An MSC depicts a single partially-ordered execution sequence of a system. 
It defines a set of processes interacting with one another by communication 
actions. In the visual representation of an MSC, processes are drawn as vertical 
lines that are interpreted as time axes. A labeled arrow from one line to a second 
corresponds to the communication events of sending and receiving a message. 
Collections of MSCs are used to capture the scenarios that a designer might 
want the system to follow or to avoid. Several specification formalisms have 
been considered, such as high-level MSCs or MSC graphs [2, 14]. 

The next step in the design process usually is to derive an implementation 
of the system to develop [5], preferably automatically. In other words, we are 
interested in generating a distributed automaton realizing the behavior given in 
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form of scenarios. This problem asks for the study of automata models that are 
suited for accepting the system behavior described by MSC specifications. 

A common model that reflects the partially-ordered execution behavior of 
MSCs in a natural manner are message-passing automata, MPAs for short. They 
consist of several components that communicate using channels. Several variants 
of MPAs have been studied in the literature: automata with a single or multiple 
initial states, with finitely or infinitely many states, bounded or unbounded 
channels, and systems with a global or local acceptance condition. 

We focus on MPAs with a priori unbounded FIFO channels and global accep- 
tance condition where each component employs a finite state space. Our model 
subsumes the one studied in [5] where a local acceptance condition is used. It 
coincides with the one used in [6, 9], although these papers characterize the frag- 
ment of channel-bounded automata. It extends the setting of [1, 12] in so far as 
we provide synchronization messages and a global acceptance condition to have 
the possibility to coordinate rather autonomous processes. Thus, our version 
covers most existing models of communicating automata for MSCs. 

A fruitful way to study properties of automata is to establish logical char- 
acterizations. For example, finite word automata are known to be expressively 
equivalent to monadic second-order (MSO) logic over words. More precisely, the 
set of words satisfying some MSO formula can be defined by a finite automa- 
ton and vice versa. Since then, the study of automata models for generalized 
structures such as graphs or, more specifically, labeled partial orders and their 
relation to MSO logic has been a research area of great interest aiming at a 
deeper understanding of their logical and algorithmic properties (see [16] for an 
overview) . 

In this paper, we show that MPAs accept exactly those MSC languages that 
are definable within the existential fragment of MSO (over MSCs), abbreviated 
by EMSO. We recall that emptiness for MPAs is undecidable and conclude that 
so is satisfiability for EMSO and universality for MSO logic. 

Furthermore, we show that MSO is strictly more expressive than EMSO. 
More specifically, the monadic quantifier-alternation hierarchy turns out to be 
infinite. Thus, MPAs do not necessarily accept a set of MSCs defined by an 
MSO formula. Furthermore, we use this result to conclude that the class of 
MSC languages that corresponds to MPAs is not closed under complementation, 
answering the question posed in [9]. 

MPAs with a priori unbounded channels have been rather used as a model 
to implement a given (high-level) MSC specification [5]. Previous results lack 
an algebraic or logical characterization of the corresponding class of languages. 
They deal with MPAs and sets of MSCs that make use only of a bounded part 
of the actually unbounded channel [6,9]. More specifically, when restricting to 
sets of so-called bounded MSCs, MSO captures exactly the class of those MSC 
languages that correspond to some bounded MPAs. 

Organization of the Paper. The next two sections introduce some basic notions 
and recall the definition of message sequence charts and (existential) monadic 
second-order logic. Section 4 deals with message-passing automata and their 
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expressive equivalence to existential monadic second-order logic, while Section 
5 studies the gap between monadic second-order formulas and their existential 
fragment. 

Acknowledgment. We would like to thank Dietrich Kuske for valuable remarks 
and pointing out some innaccuracies in a previous version of this paper. We also 
thank the anonymous referees for their helpful suggestions and comments. 



2 Message Sequence Charts 

Forthcoming definitions are all made wrt. a fixed finite set V of at least two 
processes. (Note that, in one proof, we assume the existence of at least three 
processes.) We denote by Ch the set {(p, q) \ p,q £V, p yf q} of reliable FIFO 
channels. Thus, a message exchange is allowed between distinct processes only. 
Let Act' denote the set {plq | ( p,q ) £ Ch} of send actions while Act' denotes 
the set {qlp \ (p,q) £ Ch} of receive actions. Hereby, plq and qlp are to be read 
as p sends a message to q and q receives a message from p, respectively. They 
are related in the sense that they will label communicating events of an MSC, 
which are joint by a message arrow in its graphical representation. Accordingly, 
let Com := {(plq, qlp) \ (p,q) £ Ch}. Observe that an action p6q (0 £ {!,?}) is 
performed by process p, which is indicated by P(p9q) = p. We let Act stand for 
the union of Act' and Act,' and, for p £ V, set Act p to be the set {a £ Act \ 
P(a) =p}. 

For a total order < on a finite set E, < denotes the covering relation of <: for 
e, e! £ E, e < e! if both e < e' and, for any e" £ E, e < e" < e! implies e" = e! . 

Definition 1 (Message Sequence Chart). A message sequence chart (MSC) 
is a structure (E, {< p } pf z-p, < c , A) such that 

— E is a nonempty finite set of events, 

— A : E — > Act is a labeling function, 

— < p is the covering relation of some total order < p on E p := {e £ E \ A(e) £ 
Act p } , 

— < c C E x E such that, for any e,e' £ E, e < c e' iff (A(e), A(e')) £ Com 
and || e 0 A _1 (A(e))| = ||e' 0 A _1 (A(e'))| (where, for e £ E, | e is the set of 
events e! £ E P (x(e)) with e ' <p( A(e)) e )> 

— (<c U |J ptz-p < P )* is a partial order, and 

— |A -1 (p!g)| = \\~ 1 (q?p)\ for each (p,q) £ Ch. 

Thus, events on one and the same process line are totally ordered, and events 
on distinct process lines that communicate with each other in a FIFO manner 
(wrt. < c ) are labeled with actions related by Com. 

Given an MSC (E, {< p } pe -p, < c , A) and e £ E, P(e) will serve as a shorthand 
for P( A(e)). The set of MSCs is denoted by MSC and a subset of MSC is called 
an MSC language. 

Henceforth, we identify a structure of any kind with its isomorphism class. 
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3 (Existential) Monadic Second-Order Logic 

Given supplies Var = {x,y, . . . ,X\,X 2 , • ■ of individual variables and VAR = 
{X, Y. , Xi,X 2 , . • of set variables , formulas from MSO, the set of monadic 
second-order formulas (over MSCs) are built up from the atomic formulas 

A(x) = a (for cr £ Act) x £ X x < p y (for p £ V) x < c y x = y 

(where x, y £ Var and X £ VAR) and furthermore allow the Boolean connectives 
-i, V, A, — > and the quantifiers 3, V, which can be applied to either kind of 
variable. 

Let M = ( E , {<p}p e -p, < c , A) be an MSC. Given an interpretation function X, 
which assigns to an individual variable x an event I{x) £ E and to a set variable 
X a set of events X(X) C E, the satisfaction relation M \=x p for a formula 
p is given by M \=j A(x) = a if A(T(a:)) = cr, M \=x x < p y if X(x) < p X{y), 
and M \=x x < c y if X{x) < c X(y), while the remaining operators are defined as 
usual. 

For an MSO formula p, the notation p(xi, . . . , x m , X±, . . . , X n ) shall indicate 
that at most the variables X\, . . . , x m , Xi, . . . , X n occur free in ip. An MSO for- 
mula is called existential if it is of the form 3Xi . . . 3X n ip(Xi, . . . , X n , Y) where 
Y is a block of second-order variables and tp(X 1 , . . . , X n ,Y) is a first-order 
formula. Let EMSO denote the class of existential MSO formulas. In general, 
Ek shall contain MSO formulas of the form 3 X 1 VX 2 . . . 3/\/Xk<p(X 1 , . . . , Xk , Y) 
with first-order kernel p(Xi, . . . , Xk, Y) (again, Xi and Y are blocks of second- 
order variables) 1 . 

In the following sections, we usually consider MSO sentences, i.e., formulas 
without free variables, and accordingly replace \=x with \=. For an MSO sentence 
ip, the MSC language of p, denoted by L(ip), is the set of MSCs M with M \= p. 
For a set of MSO formulas £, an MSC language L is called £,-definable if L = L(p) 
for some sentence p £ £. We will show in a subsequent section that the classes of 
Afc-definable languages form an infinite hierarchy when formulas are interpreted 
over MSCs, resuming a result by Matz and Thomas, who proved infinity of 
the hierarchy for grids [11]. In other words, the more alternation depth second- 
order quantification allows, the more expressive formulas become. However, it 
will turn out that, to cover the feasible area of realizable MSC languages (in 
terms of message-passing automata), we can restrict to EMSO-definable MSC 
languages. The class of MSO-definable MSC languages is denoted by MSO, the 
one of EMSO-definable languages by EMSO. 



4 Message-Passing Automata and Their Expressiveness 

In this section, we study distributed automata, called message-passing automata, 
which, as we will see, generate MSC languages in a natural manner. 



1 Note that XI and EMSO coincide. 
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A message-passing automaton is a collection of finite-state machines that 
share one global initial state and several global final states. The machines are 
connected pairwise with a priori unbounded reliable FIFO buffers. The transi- 
tions of each component are labeled with send or receive actions. A send action 
p\q puts a message at the end of the channel from p to q. A receive action can 
be taken provided the requested message is found in the channel. To extend the 
expressive power, message-passing automata can send certain synchronization 
messages. Let us be more precise: 

Definition 2 (Message- Passing Automaton). A message-passing automa- 
ton (MPA) is a structure A = ((A p )p£'p,'D,s in , F) such that 

— V is a nonempty finite set of synchronization messages (or data), 

— for each p G V, A p is a pair (S p , A p ) where 

• S p is a nonempty finite set of (p-)local states and 

• A p C S p x Act p x V x S p is the set of (p-)local transitions, 

— s m G TlpeP Sp is the global initial state, and 

— F C Ilpep Sp is the set of global final states. 

For a global state s = (s p )pe"P G TTpep S p of A , s(p\ will henceforth refer to s p . 

We now define the behavior of message-passing automata and, in doing so, 
adhere to the style of [9]. In particular, an automaton will run on MSCs rather 
than on linearizations of MSCs, allowing for its distributed behavior. Let A = 
((A p ) pG v,V,s ln ,F), Ap = (S p , A p ), be an MPA and M = (E, {< p } pGV , < c , A) 
be an MSC. For a function r : E — ► (J peV S p , we define r~ : E — > U pG p S p to 
map an event e G E onto s m [P(e)] if e is minimal wrt. <p( e ) and, otherwise, 
onto r(e') where e! G E P f ej is the unique event with e' < p( e ) e. A run of A on M 
is a pair ( r,m ) of mappings r : E — > U pG p S P with r(e) G ,$'p( e ) for each e G E 
and m : < c — > V such that, for any e, e! G E, e < c e! implies 

— (r“(e), A(e),m((e, e')),r(e)) G A P(e) and 

— (r~(e'),X(e'),m((e, e')),r(e')) G A P{e) . 

For p G V, let f p denote s m [p } if E p is empty. Otherwise, let f p denote 
r(e) where e G E p is the maximal event wrt. < p . We call ( r,m ) accepting if 
(fp)p£V G F . 

For an MPA A, we denote by L(A) := {M G MSC | there is an accepting run 
of A on M} the language of A. Let furthermore MV A := {LC MSC | L = L(A) 
for some MPA A} denote the class of languages that are realizable as MPAs. 

Remark 1. The emptiness problem for MPAs is undecidable. 

Proof. Several decidability questions were studied for communicating finite-state 
machines, a slightly different variant of MPAs. Among them, (a problem related 
to) the emptiness problem for communicating finite-state machines turned out 
to be undecidable [3]. The proof can be easily adapted towards MPAs. □ 

We now turn towards one of our main results and first mention that an MPA 
can be effectively transformed into an equivalent EMSO sentence. 
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Lemma 1. MPA C EMSO 

Proof. Several instances of this problem have been considered in the literature 
and can be easily adapted to our setting. See [17], for example. □ 

Corollary 1. The following two problems are undecidable: 

(a) Satisfiability for EMSO sentences over MSC 

(b) Universality for MSO sentences over MSC 

Proof. Using Remark 1 and Lemma 1, we obtain Corollary 1 (a). Corollary 1 
(b) follows from an easy reduction from the satisfiability problem. □ 

In fact, any EMSO-definable MSC language is realizable as an MPA and, vice 
versa, any MSC language of some MPA has an appropriate EMSO counterpart. 

Theorem 1. MVA = £MSO 

The proof will be based on the concept of graph acceptors [16], a generaliza- 
tion of finite automata to labeled graphs, which are known to be expressively 
equivalent to existential monadic second-order logic wrt. graphs of bounded de- 
gree. We consider graph acceptors running on MSCs, thus, on structures of 
bounded degree 2 , which makes them applicable to our setting. A graph accep- 
tor works on a graph as follows: It first assigns to each node one of its control 
states and then checks if the local neighborhood of each node (incorporating 
the state assignment) corresponds to a pattern from a finite supply of so-called 
spheres. In our setting, such a pattern is a labeled graph. For an alphabet A, we 
assume in the following a £ -labeled graph to be a nonempty and finite structure 
( E , {Cpj-pg-p, < c , A) of degree at most 3. In particular, A is a mapping E — > £, 
while the edges can be considered to be (fP l±! {c})-labeled. Note that an MSC is 
an Act-labeled graph, while the converse does not necessarily hold. 

Let us become more concrete and let £ and R be an alphabet and a natu- 
ral, respectively. Given a A-labeled graph G = (E, {< p } p6 -p, < c , A) (let in the 
following -<; denote < c U (J pe -p <p) and elements e, e! € E, the distance do{e', e) 
from e! to e is oo if it holds (e,e') fL {p U and, otherwise, the minimal 

natural number k such that there is a sequence of elements eo, . . . , ej, £ E with 
eo = e, ek — e', and e, -< e*+i or e,+i -< e,; for each i £ {0 , ... ,k — 1}. Some- 
times, if it is clear from the context, we omit the subscript G. An R-sphere over 
A is a A-labeled graph H = (E, {< p } p( z-p, < c , A, 7 ) together with a designated 
sphere center 7 £ E such that, for any e £ E, dn{e, 7 ) < R. Two 2-splreres are 
shown in Figure 1 where the sphere centers are depicted as rectangles. For a £- 
labeled graph G = (E, {< p } p6 -p, < c , A) and e £ E, let the R-sphere of G around 
e be given by (E r , {<' p } P ev, <', A', e) where E' = {e' £ E j dc(e',e) < R}, 
<(, = < p fl (E r x E') for each p £ V, <’ c = < c fl (E r x E'), and A' is the 
restriction of A to E' . 

Any node of the graph of an MSC has at most three direct neighbors. 
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A graph acceptor (over Act) is a structure QA = (Q,R, ©, Occ ) such that Q 
is a nonempty finite set of (control) states, R € IN, 6 is a finite set of i?.-spheres 
over Act x Q (as we identify isomorphic structures, we actually deal with a finite 
set of isomorphism classes), and Occ is a Boolean combination of conditions of 
the form “sphere H £ & occurs at least > n times” where n £ IN. A run of QA 
on an Act-labeled graph ( E , {< p } pe 73, < c , A) is a mapping p : E — ► Q such that, 
for each e € E, the i?-splrere of (E, {< p } p& -p, < c , (A, p)) around e is isomorphic 
to some H G 6. We call p accepting if it satisfies the constraints imposed by Occ. 
The language of QA wrt. a class K, of Act-labeled graphs, denoted by Ljc{QA), is 
the set of Act-labeled graphs G € JC on which there is an accepting run of QA. 



(1!2, 90) (271,®) 
®- 



(2!3 , 92 ) 



m- 



(3?2 ,93) 



© — 4 ) © 

(H2,®) (271,92) (371,9s) 



(112,90 (271,92) 

o — O 



(271,90) 



O 



o — <J 



(112,90 (271,9s) 
(a) (b) 

Fig. 1 . The sphere(s) of a graph acceptor 



The rest of this section is dedicated to the proof of Theorem 1. 

Proof. It remains to show inclusion from right to left. So let ip be an EMSO 
sentence. We can assume the existence of a graph acceptor QA over Act that, 
running on MSCs, recognizes the MSC language defined by ip. In turn, QA will 
be translated into an MPA A that captures the application of QA to MSCs, i.e. , 
L(A) = Lm§c(QA). So let QA = ( Q , R, &, Occ ) be a graph acceptor over Act. 

For our purpose, it suffices to consider only those .R-splreres H € & for which 
there is an extended MSC M = (E, {< p } p6 -p, < c , A), which has an extended 
labeling function A : E — * Act x Q, and an event e £ E such that H is the R- 
spliere of M around e. Other spheres cannot contribute to an MSC. Because, to 
become part of a run on some MSC M, an Jt-spliere has to admit an embedding 
into M. In this sense, the 2-spliere illustrated in Figure 1 (a) may contribute to a 
run on an MSC (it can be complemented by a l!3-labeled event arranged in order 
between the two other events of process 1), while the 2-sphere illustrated aside is 
irrelevant and will be ignored in the following. This assumption is essential, as it 
ensures that, for each H = (E, {< p } pe -p, < c , A, 7) £ & and e € E, dnie,^) < R 
implies that E also contains a communication partner of e wrt. < c . 

In the following, we use notions that we have introduced for MSCs also for 
spheres (E, {< p } pe -p, < c , A, 7) over Act x Q, such as P(e), E p , and < p (to in- 
dicate the process of e € E and as abbreviations for A ~~ 1 (Act p x Q ) and the 
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reflexive transitive closure of < p , respectively) 3 . For example, considering the 
2-sphere from Figure 1 (a), P( a) = 1, E\ = {a, e}, and b < 2 d, but not a <i e. 
Let maxE := max{|R| | (R, {< p } pe p, < c , A, 7) £ 6} and let & + be the set of 
extended R-spheres, i.e., the set of structures ((R, {< p } pe p, < c , A, 7, e), i) where 
(R, {< p } pe p, < c , A, 7) £ ©, e £ E is the active node , and i £ {1 , . . . , 4 • maxE 2 + 
1} is the current instance. For p £ V, we define 6 P := {(R, {< p } p6 -p, < c , A, 7) £ 
6 | P{ 7) = p} and, furthermore, 6+ := {((R, {< p } p6 p, < c , A, 7, e), i) £ 6 + | 
P(e) = p}. Finally, let max(Occ) denote the least threshold n such that Occ 
does not distinguish occurrence numbers > n. 

For readability, we let in the following A denote the collection of relations 
({<p} p e-p, < c ) and just write (R, A, A, 7) instead of (R, {< p } p6 -p, < c , A, 7). 

The idea of the transformation is that, roughly speaking, A guesses a tiling of 
the MSC to be read and then verifies that the tiling corresponds to an accepting 
run of QA. Accordingly, a local state of A holds a set of active -R-spheres, i.e., a set 
of spheres that play a role in its immediate environment of distance at most R. 
Each local state s (apart from the initial states, as we will see) carries exactly one 
extended R-sphere ((R, A, A, 7, e), i) £ 0 + with 7 = e, which means that a run 
of QA assigns (E, A, A, 7) to the event that corresponds to s. To establish isomor- 
phism between (E, A, A, 7) and the R-sphere induced by s, s transfers/obtains 
its obligations in form of an extended R-sphere ((R, A, A, 7, e'), i) to/from its 
immediate neighbors, respectively. For example, provided e is labeled with a 
send action and there is e! £ E with e < c e', the message to be sent in state s 
will contain ((R, A, A, 7, e 7 ), z), which, in turn, the receiving process understands 
as a requirement to be satisfied. As there may be an overlapping of isomorphic 
R-spheres, a state can hold several instances of one and the same sphere, which 
then refer to distinct states/events as corresponding sphere center. Those in- 
stances will be distinguished by means of the natural i. The benefit of i will 
become clear before long. 

Let us turn to the construction of A = ((A p ) p6 -p, V, s m , R), A p = (S p ,A p ), 
which is given as follows: For p £ V, a local state of A p is a pair (S, v) where 

— v is a mapping & p — > {0, . . . max(Occ)} (let in the following zA denote the 
function that maps each R-sphere H £ & p to 0) and 

— S is either the empty set or it is a subset of 6+ such that 

• there is exactly one extended R-sphere ((R, A, A, 7, e), z) £ S with 7 = e 
(whose component (R, A, A, 7) we identify by c(<S) from now on) and 

• for any two ((R, A, A, 7, e), z), ((R 7 , A 7 , A 7 , 7', e 7 ), z') £ S , 

(a) A(e) = A^e 7 ) £ Act p x Q (so that we can assign a well-defined 
unique label A(<S) £ Act p x Q to S, namely the labeling A(e) for 
some ((R, A, A, 7, e), z) £ S ) and 

(b) if (R, A, A, 7) = (R 7 , A 7 , A',7 7 ) and z = z 7 , then e = e 7 . 

The set V of synchronization messages is the cartesian product 2 S+ x 2 S+ . 
Roughly speaking, the first component of a message contains obligations the re- 



3 Note that, wrt. spheres, < p is not necessarily a total order. 
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ceiving state/event has to satisfy, while the second component imposes require- 
ments that must not be satisfied by the receiving process to ensure isomorphism. 
We now turn towards the definition of A p and define ((<S, v), a, (V,N), (S', v’)) € 
A p if the following hold: 

1. A(S') = (a, s) for some s £ Q. 

2. For any ((E,^,X,j,e),i) € S and e' £ E p , if ((E, A, 7, e'), i) £ S', then 
e < p e! . 

3. For any ((E, A, 7, e), i) £ S', if S 7^ 0 and e is minimal in (E p ,< p ), then 
d(e,j) = R. 

4. For any (( E , A, 7, e),i) £ S, if e is maximal in (E p , < p ), then d(e, 7) = R. 

5. For any ((E, A, 7, e),i) £ S' , if e is not minimal in (E p , < p ), then we have 
(( E , -<,X,j, e~),i) £ S where e~ £ E p is the unique event with e~ < p e. 

6. For any ((E, -<, X, 7, e), i) £ S, if e is not maximal in (E p ,< p ), then we 
have ((E, A, 7, e + ), i) £ S' where e + £ E p is the unique event such that 
e < p e + . 

7. (i) In case that a = plq for some q £ V: 

(a) for any ((E, -<,, X, 7, e), i) £ S' and any e! £ E, if e < c e', then we 
have ((E,^,,X,j,e'),i) £ V, 

(b) for any ((E,^,X,-y,e),i) £ S' and any e! £ E, if e e! , then we 

have ((E, X, 7, e'),i) £ Af, and 

(c) for any ((E, -<, X, 7, e),i) £ V, there is e! £ E such that e' < c e and 
((E, ~<, A, 7, e'),i) £ S'. 

(ii) In case that a = plq for some q £ V: 

(a) V C 5', 

(b) A/’fl5' = 0, and 

(c) for any ((E,~<,X,'y,e'),i) £ S', if there is e £ E with e < c e! , then 
((E, A, 7, e'),i) £ V. 

8. u' = u[q(S')/ min{i/(c(5')) + l,max(Occ)}] (i.e., v' maps q(S') to the mini- 
mum of ^'(c(^S , )) + 1 and max(Occ) and, otherwise, coincides with u). 

Thus, Condition 1. guarantees that any state within a run has the same 
labeling as the event it is assigned to. Condition 2. makes sure that, whenever 
there is a < p -edge in the input MSC, then there is a corresponding edge in 
the extended sphere that is passed from the source to the target state of the 
corresponding transition. Conversely, if there is no < p -edge between two nodes 
in the extended sphere, then it must not be passed directly to impose the same 
behavior on the MSC, i.e., the corresponding events in the MSC must not touch 
each other. Conditions 3. and, dually, 4. make sure that a sphere that does not 
make use of the whole radius R is employed in the initial or final phase of a run 
only. By Conditions 5. and 6., extended spheres must be passed along a process 
line as far as possible, hereby starting in a minimal and ending in a maximal 
active node. Condition 7. ensures the corresponding beyond process lines, i.e., for 
messages. Finally, Condition 8. guarantees that the second component of each 
state correctly keeps track the number of spheres used so far. 

Furthermore, s m = ((0,i/°)) p6 p and, for (, S p ,v p ) £ S p , ((S p ,v p )) p ^ v £ F if 
the union of mappings v p satisfies the requirements imposed by Occ and, for all 
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p £ V and {{E, A, 7, e), i) £ S p , e is maximal in ( E p ,< p ). In fact, it holds 
L{A) = Lmsc(QA). 

Let p : E — > Q be an accepting run of QA on M = (E, {< p } p6 -p, < c , A) G MSC 
and let p denote the mapping E — > 6 that maps an event e G E onto the R- 
splrere of (E, {< p } pe -p, < c , (A, p)) around e. In an accepting run (■ r,m ) of A on 
M , r basically assigns to an event e G E — apart from the obvious mapping 
v — the set of those extended spheres ((E, A, 7, eo), i) G 6 + such that there 
is an event e' G E with both c Im (e', e) < R and (E, -<;, A, 7, eo) is isomorphic to 
(p(e'),e). Hereby, maxE is sufficiently large to guarantee an instance labeling 
that is consistent with the transition relation of A. If we suppose m : < c — > V 
to map a pair (e s ,e r ) G < c onto (V,A f) where (set (■ S,v ) to be r(e s )) V = 
{((E, -<, A, 7, e' 0 ), i) G S + | there is eo G E with ((£?,-<, A, 7, eo),*) G S and 
eo <c e'o} and A/" = {((E,~i,,X,'y,e' Q ),i) G 6 + | there is eo G E such that 
((E, A, 7, eo), i) G S and eo it c e' 0 }, (r, m) is an accepting run of A on M. 

Conversely, let (r, m) be an accepting run of A on M = (E, {< p } p6 -p, < c , A) G 
MSC. If we define p : E — > Q to map an event e G E to the control state that is 
associated with the sphere center of ?(<S ) where r(e) = (5, ^) for some then p 
turns out to be an accepting run of QA on M. □ 

Example 1. In the following, let H denote the 2-sphere from Figure 1 (a). Figure 
2, showing some MSC M with four processes, illustrates the transition behavior 
of the MPA A from the above proof. It demonstrates how a run of A on M 
transfers extensions of H from one event of M to a neighboring one to make 
sure that the 2-sphere around event e c (which is indicated by solid edges) is 
isomorphic to H . For example, the state that is taken on event e a may contain 
the extended sphere ( H , a). (For clarity, control states and the natural i to dis- 
tinguish different instances of spheres are omitted.) As a < c b (wrt. the edge 
relation of H), A passes (H, b) in form of a message to process 2. Receiving 
(if, b), process 2 becomes aware it should bind e\, to some state that contains 
(if, b) (conditions 7. (i) (a) and 7. (ii) (a) from the definition of the transition 
relation). As, in if, b is followed by c, so e c has to be associated with a state 
containing (ii, c) (condition 6.). In contrast, eh is not allowed to carry the ex- 
tended sphere (ii, e) , unless it belongs to a different instance of H (condition 
2.). Now consider ea, which holds the extended sphere (ii, d). Due to condition 
5., the preceding state, which is associated to e c , must contain (ii, c), which 
means that a run cannot simply enter H beginning with d. Moreover, as ea is 
a receive event, A has to receive a message containing (ii, d) (condition 7. (ii) 
(c)). In turn, the corresponding send event e e has to be associated with a state 
that holds (ii, e) (condition 7. (i) (c)). Note that, as d{a,c) = d(e,c) = 2, the 
(illustrated parts of the) states assigned to e a and e e satisfy conditions 3. and 4. 



5 Beyond Realizability 

In this section, we show that MSO logic over MSCs is strictly more expressive 
than EMSO. Together with the results of the previous section, this will be used 
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Fig. 2. Simulating a graph acceptor 



to show that MPAs cannot be complemented in general. More specifically, we 
show that quantifier alternation forms a hierarchy: 

Theorem 2. The monadic quantifier- alternation hierarchy over MSC is infi- 
nite. 

Proof. Matz and Thomas proved infinity of the monadic quantifier-alternation 
hierarchy over grids [11,16]. Using an idea from [15], we show how grids can 
be encoded into MSCs and then rewrite their result in terms of MSCs adapting 
their proof to our setting. 

For a positive natural n £ IN>i, we use [n] as a shorthand for {l,...,n}. 
Given n,m £ 1 N>i, the ( n,m)-grid (with n rows and m columns) is the struc- 
ture g(n,m) := ([n] x [m\, S\, S 2 ) where S±,S 2 C ( [?i] x [m]) 2 contain the pairs 
((i,j),(i + 1 J)) e ([n] x [to]) 2 and + 1)) £ ([n] x [to]) 2 , respec- 

tively. A relation R C 1N> 1 x JN>! may be represented by the grid language 
{g(n,m) j (n, to) £ R}. As a unary function / : IN>i — > 1 N>i can be consid- 
ered as a binary relation, we define the grid language G(f) of / to be the set 
{g(n,f(n)) \ n £ 1N>i}. A grid g(n,m) can be folded to an MSC M(n,m) as 
exemplarily shown for g{ 3,5) in Figure 3. 




Message-Passing Automata Are Expressively Equivalent to EMSO Logic 



157 



( 1 , 1 ) 

( 2 , 1 ) 

(3,1) 

(1.3) 

(2.3) 

(3.3) 

(1.5) 

(2.5) 

(3.5) 




( 1 , 2 ) 

( 2 , 2 ) 

(3,2) 

(1.4) 

(2.4) 

(3.4) 



A similar encoding is used by Kuske to prove infinity of the monadic quantifier- 
alternation hierarchy for certain pomsets over at least two processes [8] . However, 
we introduce a third process to obtain distinguished labelings of events that mark 
the end of a column in the grid to be encoded, which is signalized by sending a 
message to process 3. By the type of an event, we furthermore recognize which 
events really correspond to a node of the grid, namely those that are labeled 
with a send action performed by process 1 or 2. 

A grid language Q defines the MSC language L(Q) := { M(n,m ) | g(n,m ) £ 
Qj. For a function f : 1N>i — - ■> IN>i, we furthermore write L(f) as a shorthand 
for the MSC language L(Q(f)). We now closely follow [16], which resumes the 
result of [11]. So let, for k £ IN, the functions s&, fk : IN>i — > 1 N>i be inductively 
defined via s 0 (n) = n, s k +i(n) = 2 Sk( ~ n \ f 0 (n) = n, and fk+i(n) = fk(n) • 2 fk< - n \ 

Claim 1. For each k £ IN, the MSC language L{f k ) is A 2 fc + 3 -definable. 

Proof of Claim 1. It is easy to prove that the set of possible grid foldings is 
EMSO-definable (or, equivalently, the language of some MPA). As, furthermore, 
a grid is interpretable in a grid folding by first-order formulas, we can show that, 
for any k > 1, if a grid language Q is A^.-definable (over grids), then L(Q) is Sk- 
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definable (over MSCs). The claim follows from the fact that any grid language 
G(fk) is ^2fe +3 -definable [16]. 

Claim 2. Let / : IN>i — > 1 N>i be a function. If L(f) is ^-definable (over MSCs) 
for some k > 1, then /(n) is in Sk(0(n)). 

Proof of Claim 2. Let k > 1 and let in the following the events of an MSC 
(■ E,{<p } P £V,< C ,A) be labeled with elements from Act x {0,1}* for some i £ 
1N>i, i.e., A : E — > Act x {0, 1}*. But note that the type of an event still depends 
on the type of its communication action only. Let furthermore <p(Y \ , . . . , Yf) be 
a A7fc-formula defining a set of MSCs over the new label alphabet that are fold- 
ings of grids. For a fixed column length n > 1, we will build a nondeterministic 
finite word automaton A n over (Act x {0,1}*)" with Sfc_i(c n ) states (for some 
constant c) that reads grid-folding MSCs column by column and is equivalent 
to ^(Yi , . . . ,Yi) wrt. grid foldings with column length n. Column here means a 
sequence of communication actions, each provided with an additional label, that 
represents a column in the corresponding grid. For example, running on the MSC 
M( 3,5) as shown in Figure 3, A 3 first reads the letter [(1 !2) 2 (1 !3) (3?1) (3!2)] (re- 
call that each action is still provided with an extra labeling, which we omit here 
for the sake of clarity), then continues reading [((2?1) (2! 1) ) 2 (2?3) (2!3) (3?2) (3! 1)] 
and so on. Then the shortest word accepted by A„ has length < s fe _ 1 (c") 
so that, if tp(Y\, . . . ,1}) defines an MSC language L(f ) for some /, we have 
f(n) £ Sk(0(n)). Let us now turn to the construction of A n . The formula 
y>(Yi,...,Yj) is o f the fo rm 3X k YX k -i . . . 3/VXi ip(Yi, . . . , Y u X k , Xj) or, 
equivalently, 3X k ^3X k -i ■ . . ->3Xiip'(Yi , . . . , Yj, Xk, X\). We proceed by in- 

duction on k. For k = 1, <p(Yi, . . . , 1}) is an EMSO formula. According to [16], its 
MSC language (consisting of MSCs with extended labelings) coincides with the 
MSC language of some graph acceptor. The transformation from graph accep- 
tors to MPAs from the proof of Theorem 1 can be easily adapted to handle the 
extended labeling. Thus, y>(Yi, ...,!}) defines a language that is realizable by an 
MPA A = ((Ap) P £-p, Y>, s m , F ). The automaton A n can now be obtained from A 
using a part of its global transition relation =>4 C (£4 x C4) x ((Act x {0, 1}*) x 
V) x (S „ 4 x C4) (as it is defined, for example, in [6]) where S 4 is the cartesian 
product of the local state spaces of A and C4 := {x | X : Ch —> (D l±l {T})”} 
is the set of possible channel contents. Note that only a bounded number of 
channel contents has to be considered, as the set of grid foldings with column 
length n forms a max{l, n — 1 ^-bounded, MSC language (cf. [6] for the definition 
of boundedness). Due to \S^ xC_a\ < (|<S4 |-(| 2?| + l))l C7 *l- n < c" for some constant 
c, c" = s 0 (c") is an upper bound for the number of states of A n , which only 
depends on the automaton A and, thus, on <^(Yi, . . . , Y i: ). The induction steps 
respectively involve both a complementation step (for negation) and a projec- 
tion step (concerning existential quantification). While the former increases the 
number of states exponentially, the latter leaves it constant so that, altogether, 
the required number of states is obtained. This concludes the proof of Claim 2. 

As fk+i(n) is not in Sk(0(n)), it follows from Claims 1 and 2 that the hier- 
archy of classes of Y^-definable MSC languages (A; = 1 , 2 ,.. .) is infinite. □ 
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Corollary 2. MVA C MSO 

As MVA = EMSO , it follows that the complement L := {M e MSC | M 
L} of an MSC language L G MVA , is not necessarily contained in MVA , too 
[15]. Thus, we get the answer to an open question, which has been raised by 
Kuske [9]. 

Theorem 3. MVA is not closed under complement. 



6 Discussion 

Recall that we consider an MSC to be a graph, which corresponds to the view 
taken in [10] but is different from the one in [6, 9], who model an MSC as a labeled 
partial order (E,<, A). However, while the way to define an MSC immediately 
affects the syntax and expressivity of (fragments of) the corresponding monadic 
second-order logic, Theorem 3 holds independently of that modeling, for the 
following reason: there is a one-to-one-correspondence between an MSC structure 
pe p,< C ,A) and its counterpart (E,<, A) with < = (< c U IJ pe -p< P )*- 
This correspondence carries over to MSO logic in the signature proposed in this 
paper. In other words, an MSO formula is satisfied by ( E , {< p } pe -p, < c , A) iff it 
is satisfied by ( E , <, A) (where a formula will be interpreted over labeled partial 
orders ( E , <, A) of MSCs in the obvious manner). As the definition of a message- 
passing automaton is robust against the concrete modeling, too, Theorem 3 can 
be applied to any common definition of what an MSC is. However, our logic can 
only be considered to be the canonical (existential) monadic second-order logic 
if MSCs are given by their graphs. 

If, for some B > 1, we restrict to U-bounded MSCs (see [6] for details), 
EMSO[< p , < c ], MSO[< p , < c ], EMSO[<], and MSO[<] coincide wrt. expressive- 
ness. Thus, our work subsumes the work by Henriksen et al. [6]. 

Note that, for clarity, an MSC does not carry any information about the 
concrete messages to be sent. However, preceding results can be easily extended 
towards MSCs that are equipped with message information, as they are provided 
in [1,2,5], for example. 

Let us recall the results of the previous sections: We have studied the class of 
MSC languages that corresponds to EMSO logic and MPAs. By means of graph 
acceptors, we have shown that MPAs are expressively equivalent to EMSO logic. 
In particular, for every EMSO sentence, there exists an equivalent MPA. Our 
proof is based on results by Thomas, which, in turn, refer to Hanf’s Theorem. 
For practical applications, it would be desirable to have a simple effective trans- 
formation from (fragments of) EMSO to MPAs of reasonable complexity. 

Furthermore, we proved that the class of MSC languages definable in MSO 
logic is strictly larger. Consequently, MPAs cannot be complemented in general. 
This question was raised in [9]. 

It remains to discuss the relation between the nondeterministic automata 
model with a deterministic one in the unbounded setting. In [13, 9], it was shown 
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that deterministic MPAs suffice to realize regular bounded MSC languages. This 
question was also addressed in [4] regarding the related model of asynchronous 
cellular automata for pomsets without autoconcurrency. 

It would also be interesting to have logics that capture formalisms such as 
locally- and globally-synchronized HMSCs and related automata models [5]. 
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Symbolic Bisimulation in the Spi Calculus* 
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Abstract. The spi calculus is an executable model for the description 
and analysis of cryptographic protocols. Security objectives like secrecy 
and authenticity can be formulated as equations between spi calculus 
terms, where equality is interpreted as a contextual equivalence. 

One problem with verifying contextual equivalences for message- 
passing process calculi is the infinite branching on process input. In this 
paper, we propose a general symbolic semantics for the spi calculus, 
where an input prefix gives rise to only one transition. 

To avoid infinite quantification over contexts, non-contextual con- 
crete bisimulations approximating barbed equivalence have been defined. 
We propose a symbolic bisimulation that is sound with respect to barbed 
equivalence, and brings us closer to automated bisimulation checks. 



1 Background, Related Work, and Summary 

Verification of Cryptographic Protocols in the Spi Calculus. Abadi and Gordon 
designed the spi calculus as an extension of the pi calculus with encryption prim- 
itives in order to describe and formally analyze cryptographic protocols [AG99] . 
The success of the spi calculus is due to at least three reasons. (1) It is equipped 
with an operational semantics; thus any protocol described in the calculus may be 
regarded as executable. (2) Security properties can be formulated as equations 
on process terms, so no external formalism is needed. (3) Contextual equiva- 
lences on process terms avoid the need to explicitly model the attacker; they 
take into account any attacker that can be expressed in the calculus. 

For example, we may wish to analyze the trivial cryptographic protocol 

(yk) ( A | B) where A := a(E k m) and B := a(x).f(D k x) 

consisting of participant A sending on channel a the message m, encrypted under 
the secret shared symmetric key k, to participant B who tries to decrypt the 
received message and, in case of successful decryption, outputs the result on 
channel /. We may compare this protocol with its specification 

(vk)(A\B) where A := a(Efcm) and B:=a(y).[D k y.M}f{m) 

where B transmits the correct message m on channel / whenever the dummy 
message (on reception bound to y) can be decrypted (as expressed by the guard 
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[Dfcy: M.]). If the equation ( vk ) (A \ B) = (vk) (A | B) holds, then no context is 
able to influence the authenticity (more precisely: integrity) of the message to. 

Apart from the equational style, cryptographic protocols in the spi calculus 
are analyzed by control flow analysis, trace analysis, reachability analysis, and 
type systems; they are beyond the scope of this paper. 

Equivalences. To verify security properties expressed in the equational style, we 
need to give an interpretation for the equation symbol. Contextual equivalences — 
two terms are related if they behave in the same way in all contexts — are attrac- 
tive because the quantification over all contexts directly captures the intuition 
of an unknown attacker expressible within the spi calculus [AG99]. 

The notions of may-testing equivalence and barbed equivalence are the most 
prominent contextual equivalences [see the right column of Fig. 1]. Their main 
distinction is linear time versus branching time: The former considers the pos- 
sibility of passing tests after sequences of computation steps; the latter has a 
more refined view, also comparing the derivatives of internal computation. Se- 
crecy and authenticity are usually seen as trace-based properties and formulated 
in terms of testing equivalence; however, testing is not known to be sufficient for 
anonymity or fairness [CS02]. 

Proof Methods for Contextual Equivalences. Although intuitive, the quantifica- 
tion over contexts makes direct proofs of contextual equivalences notoriously 
difficult. This problem is traditionally dealt with by defining equivalent non- 
contextual relations [see the middle column of Fig. 1]. Applying this pattern to 
the spi calculus, Boreale, De Nicola, and Pugliese [BDP02] introduced a trace 
equivalence corresponding to testing equivalence, as well as an “environment- 
sensitive” labeled bisimulation as the counterpart of barbed equivalence. 

Because of the practical usefulness of the definition of bisimulations in terms 
of co-induction, they are used as proof techniques for trace-based equivalences. 
With this goal, and in a style quite different to [BDP02], Abadi and Gordon 
proposed framed bisimulation [AG98], that is however incomplete with respect 
to barbed equivalence. This was analyzed and remedied by Borgstrom and Nest- 
mann, yielding hedged bisimulation [BN02]. 

Infinite Branching & Symbolic Proof Methods. Once we have provided a non- 
contextual alternative for our chosen equivalence, we face an inherent problem 
with the operational semantics of message-passing process calculi: The possibility 
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to receive arbitrary messages (like participant B performs along channel a in the 
example above) gives rise to an infinite number of “concrete” transitions. Using 
a less concrete semantics for process input [HL95,BD96], the substitution of 
received messages for input variables never takes place. Instead, an input prefix 
produces a single “symbolic” transition, where the input variable is instantiated 
lazily , i.e. , only when used, and indirectly by collecting the constraints on it that 
are necessary for a transition to take place. This idea was exploited to implement 
bisimulation-checking algorithms for the pi calculus [San96, VM94]. 

Symbolic semantics have also been defined for the limited setting of non- 
mobile spi calculi, where no channel-passing is allowed or channels do not even 
exist: examples are the works by Huima [Hui99], Boreale [BorOl], Amadio and 
Lugiez [ALOO], and Fiore and Abadi [FA01]. For the full spi calculus, where 
complex messages including keys and channel names pose new challenges, the 
only symbolic semantics that we are aware of was proposed by Durante et al. 
[DSV03]. However, it is rather complicated, mainly since it is tailored to capture 
trace semantics. We seek a simpler and more general symbolic semantics, that 
should also work well for bisimulation techniques. 

Towards Symbolic Bisimulation. In this paper, we propose a symbolic bisimula- 
tion for the spi calculus. Here, the elements of a bisimulation consist of a process 
pair and an environment; the latter captures the knowledge that an attacker has 
acquired in previous interactions with the process pair. This considerably com- 
plicates the generalization of symbolic bisimulation from pi to spi: (1) we must 
keep track of when an attacker has learned some piece of information so that he 
can only use it for instantiating inputs taking place later on ; (2) the combination 
of scope extrusion and complex guards and expressions makes a precise corre- 
spondence to concrete semantics challenging; (3) the cryptographic knowledge of 
the environment should be represented clearly and compactly; (4) environment 
inconsistency , signaling that the environment has noticed a difference between 
the supposedly equivalent processes, must be carefully defined. These challenges 
are in parts shared with existing work on symbolic trace equivalence [DSV03]. 
We, however, propose a symbolic bisimulation. For this, hedged bisimulation is a 
good starting point since it offers a compact and clear knowledge representation. 

Contributions of the Paper. We give a general symbolic semantics, not using 
auxiliary environments, for the full spi calculus. We then use this semantics to 
define the, to our knowledge, first symbolic bisimilarity for any spi calculus. 
These tasks are significantly more demanding than a straightforward adaptation 
of existing approaches in less complex calculi (see the above remarks) . We show 
that this bisimulation is sound with respect to its concrete counterpart, but 
not complete. We argue that the incompleteness is not problematic for protocol 
verification, and propose in general terms how it could be removed. 

Summary. In §2, we briefly recall the version of the spi calculus that we are 
using. In §3, we compare the standard concrete operational semantics with a 
reasonably simple symbolic operational semantics. The latter is used, in §4, as the 
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foundation for a symbolic “very late” hedged bisimulation, which is then shown 
to be sound with respect to concrete hedged bisimulation. In §5, we exhibit the 
proof technique on an example. We highlight, in §6, some incompletenesses that 
are, however, unproblematic for the security equations that we strive to prove. 
Conclusions and discussions on future work can be found in §7. 

A long version is available via http://lamp.epfl.ch/~jobo/. 



2 The Spi Calculus 

We assume the reader to have some basic familiarity with the notions and termi- 
nology of the pi calculus. Extending the pi calculus, the spi calculus also permits 
the transmission of complex messages, provided by the addition of primitive con- 
structs for symmetric (shared- key) and asymmetric (public/private-key) encryp- 
tion (E kM) and decryption ( D K M ), as well as hashing [AG99, Cor03]. In the 
long version of this paper, we also have primitive constructs for pairing and pair 
splitting, generalizing the possibility of the polyadic 7r-calculus to send several 
items atomically with nesting under encryption. 

We build on the same assumptions on the perfection of the underlying cryp- 
tographic system as [AG99,BDP02], which we do not repeat here. As in [AG99, 
BDP02], and in contrast to [DSV03], we require channels to be names (i.e. , not 
compound messages) . This effectively gives the attacker the possibility to verify 
if a message is a name by attempting to transmit on it. 

We assume an infinite set A f of names. Names are used for channels, variables 
and cleartexts of messages. Hashing and public and private keys are denoted by 
the operator names op € { H, pub, priv }. Expressions F are formed arbitrarily 
using decryption, encryption and operators; messages M may not contain de- 
cryption. Logical formulae (f> generalize matching with conjunction and negation. 
The predicate [F : A/"] tests for whether F evaluates to a plain name. We also have 
a (redundant) predicate [A: Ad] to check whether the decryptions in a term can 
be successfully performed. Process constructs include input, output and guard 
prefixes, parallel composition and restriction. 

a,b,c . . . ,k,l,m,n . . . ,x,y, z names Af 

M,N ::= a | E^rM j H(M) | pub (M) | priv(M) messages Ad 

F,G ::= a j E qF \ D G F | H(F) | pub(F) | priv(F) expressions £ 

(j),!/} ::= tt | (j)f\(j) j ->(/) | [F=G] j [F:Af] \ [F:M] formulae F 

P, Q ::= 0 | F(x).P \ F(G).P \ <pP \ P + P \ P \ P \ (va) P processes V 

Free and bound names of terms and sets of terms are inductively defined as 
expected: a is bound in il [ya) P” and x is bound in “F(x).P” . Two processes are 
a-equivalent if they can be made equal by conflict-free renaming of bound names. 
We identify a-equivalent processes, except during the derivation of transitions. 
To treat asymmetric encryption, if F = pub(G) (resp. priv(G)), we define F” 1 
to be priv(G) (resp. pub(G)) and otherwise we let F^ 1 = F. 

Substitutions a are partial functions \ Fl /xi , ■ ■ ■ , Fn /x„] from names x to ex- 
pressions F. Substitutions are applied to processes, expressions, formulae and 



